23542300x800000000000000021219164Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.569{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425BA74B4228C6FE8C31C02930EE7C16,SHA256=4B2D30D4455A8AD7115AEDE82A55FA275690E05303126CED177F2E22D6DF21E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:35.339{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:35.338{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C89B3A0575F3891DA109C6276A71365,SHA256=E79AF8426D4B8FD5953D287A29E99D442762C01F27993D6DD49750BA9ADCBBCBfalsetrue 23542300x800000000000000021219163Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.132{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BF6D0F69F7BB43A84392053972F356,SHA256=77B7B21ED70BCAE971FB68CD3549AF173FA6FAC5187A6F6FF2B31617661BCCEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219162Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.132{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C9E95545A6E516316C0B5612230BA73,SHA256=2875474717BAE482CE59F352768AC4B7993CECBF78F18344DD0310BB0F33E4B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219166Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:36.632{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC0823210E2577D30F86DA1991F53CF,SHA256=8DF73CF36E39A71AFD33DE58A79D2F893F3321361F642C255DEDF7679517C109,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.357{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.357{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0657B32B4C98A9D8FD1128CC64B03856,SHA256=26B5922167352ACC8954B5CDF7997E5CF3FAE4C55038E9AFBFAD60379612B1A1falsetrue 354300x800000000000000021219165Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.551{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64292-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.341{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057343854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.341{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 23542300x800000000000000021219167Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:37.694{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44293EA23D0E1B64534411E7C0396D12,SHA256=70034AFD12AA24A89D1995E586DBFFED4363EE9036221BA69CD33411E68DD736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6C84A400FB6E72B76DA1F8C1853831,SHA256=770E6DC6BE9B0E1EEF17233AB3263C10747BBA4396E84B12A66B20A9EE413502falsetrue 11241100x800000000000000057343861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3AC4231DBA35EC82CD8E1356C4AF9F,SHA256=ADD62B792347D8AF85C019FD5F1E36B1BAC45E99B1EB606439FCA60A0B8075A1falsetrue 11241100x800000000000000057343859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5B0C869862CC32561AC94AF5C9256E2,SHA256=DB660A3E6AA8D3E0DF4A5029BCCC00889BAA227C20EB008168727E27B16C511Ffalsetrue 23542300x800000000000000021219168Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:38.726{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678BDB7BC010F782124BD2CC79E4213D,SHA256=6C2FDC0BB854CABD46466CC37BBF73C9542D1BD694D27CFB63192901F4019272,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:38.386{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:38.386{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950890A13E5FC1FFAD79813078DAF877,SHA256=9EFF8E19F111CEA459DB9D3BEC65163693DB54AD9E1D3ED7145DB1F88CC763FEfalsetrue 354300x800000000000000057343865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.670{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54497-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000057343864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.439{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54496-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219169Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:39.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98657D5B91E5A0FBDB72071837DB16A,SHA256=CD12CDBF908FA1B3861704EA0207DDA08140AB27B782810FEF1673B29FEC3C82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:39.416{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:39.416{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5913E396BDC859F0E81E9079A771D9DB,SHA256=00104EFE3F841A233375023A9638AFF1274B78CF6001E479D539EC414FDED167falsetrue 23542300x800000000000000021219170Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:40.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F016567EAD02D33887BF4193C47B6336,SHA256=20190D8C6E637BBE82FF0FDA0D641F10971658F9CDD3DC474288936F6F55143E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:40.417{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:40.417{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD8547CDFDB85FFB2E4B2D1C6B3E053,SHA256=3EDB2FCAC8972BBDEC0FD4BBEDE2A3F8EB03FCEB079B2A0BFFD36AF36AEF6C8Dfalsetrue 23542300x800000000000000021219173Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D45358B90AD175CEF2FDB834C00506,SHA256=6DCDB28F6192FFB53ED1F3C51D3C48F30A7753B5915AF1269197C95E124C093A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:41.420{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:41.420{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C7E559A7699C52636B4FD4D3B1A4A2,SHA256=981725DA04300C6B34054CC46ED2ABD022929EB3F755C8557185EA92F3FC1F0Ffalsetrue 23542300x800000000000000021219172Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.382{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C474F335592DF50730468A95FF3A8F29,SHA256=1C08889B4CD183EF8A377FE18357572CCF0E150801AFBD06047C6CCAA0237ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219171Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.382{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BF6D0F69F7BB43A84392053972F356,SHA256=77B7B21ED70BCAE971FB68CD3549AF173FA6FAC5187A6F6FF2B31617661BCCEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219175Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:42.960{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F0C22848ED9E4FF81E52A60B9C3A3B,SHA256=E472C0191E8D93347A17592B1DA4B9EDA6D94B55459761E50F280A41F248EC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.457{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.457{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E67F181A895227BEA96BDDC7E36E73,SHA256=5EE5213F7B42B0C06404F5D992EEC128823DE7A615F66672BAF8271DFABDF4D7falsetrue 354300x800000000000000021219174Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:28.582{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64293-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C1F5A7FB25F839419FCCEE2BCF9AF3,SHA256=E5BCBD9770C493618B088E343F243BFE1703311020D4F5D87282669DCF5A2081falsetrue 11241100x800000000000000057343875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3AC4231DBA35EC82CD8E1356C4AF9F,SHA256=ADD62B792347D8AF85C019FD5F1E36B1BAC45E99B1EB606439FCA60A0B8075A1falsetrue 23542300x800000000000000021219176Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:43.960{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936D5248CD07A0BD6EE68BE942184DDC,SHA256=FC6A7857CCCE25D5604F4B98C528D857D419950F3E0C3435CFF183582DF2E1D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.539{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.538{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C1F5A7FB25F839419FCCEE2BCF9AF3,SHA256=E5BCBD9770C493618B088E343F243BFE1703311020D4F5D87282669DCF5A2081falsetrue 11241100x800000000000000057343882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.472{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.472{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0427D36805B76F6D830E6E4F223EFCF8,SHA256=E20573552AD37158A16CF4DCB2B639CC0F736F51AD9059D282CE0B5B72F28BBAfalsetrue 354300x800000000000000057343880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.472{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54498-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219177Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:44.976{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA916D8919A36BCAD0A3DA7252567F8,SHA256=D6DC3933A54B71CF24791001357A2A55DAB4D81EF108265B5AB3A0CE58EBCCFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.488{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.488{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D41BC4E92A929DC8E7C7881843619B8,SHA256=4E99972F2897005A17B4612705CE35C7321D2A660BD903C7256F4D71B8508C34falsetrue 11241100x800000000000000057343886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.204{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-shm2021-11-12 12:14:44.204 11241100x800000000000000057343885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.204{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-wal2021-11-12 12:14:44.204 11241100x800000000000000057343890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:45.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:45.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A69B354C6826D87B7EB7A3EAC442200,SHA256=FE8A0BA010A97F5A634D02FA011E00B8B01CA4833A39B28FDE26E237E79FD668falsetrue 11241100x800000000000000057343892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:46.537{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:46.537{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A14AF2DA4937DDF958A128179FD08B,SHA256=E33E207B4CF05B8D5FC89D233637372986D459BC3068386309A149F528F9D2B0falsetrue 10341000x800000000000000021219181Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.694{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0F00-00000000F101}964C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219180Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.694{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0C00-00000000F101}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219179Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.257{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C474F335592DF50730468A95FF3A8F29,SHA256=1C08889B4CD183EF8A377FE18357572CCF0E150801AFBD06047C6CCAA0237ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219178Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.007{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CF0953E7E65314E18DCF31635D3573,SHA256=A9DAB33AC75F9B6900B3E19407509EDE5456D9DFDF26A6F418D669BE165D1DF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:47.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:47.554{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DED9B4595DAEDC949A9DAED75382FE6,SHA256=77697784960BB710F7DB862823DDC0BDCCB17181F608123FC68EE53E1771362Afalsetrue 10341000x800000000000000021219187Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-A1B2-6168-2661-04000000F101}4008C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219186Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1000-00000000F101}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219185Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219184Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0C00-00000000F101}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021219183Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:33.660{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64294-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219182Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.038{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321766C66548B7349712AB66278D7430,SHA256=0896CBCD7247309921FCDF0CF6753AF6BD26B75DFDB5A15E4661ED86792C6E96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057343902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:14:48.901{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:14:48.901{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057343900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.569{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.569{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A7F74E383976AFA10AD0EBF3689CCA,SHA256=79FCC6972A723FEC95264F473B5003061B2B578789EDF41BDF2B92B2FF823803falsetrue 23542300x800000000000000021219188Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:48.042{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31CFCA7E53D2C077FC1847F008EF322,SHA256=87D67111CF522D26623909E76F97C8303CB29F86BB5082292DF78B71AED51230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.505{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54499-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D3A5D6BE7339CC666380FA50CF33E4B,SHA256=BF83BED3418C8B06296D541CCE62C22A1C75F720C01360D1388AEA8ADB20DFABfalsetrue 10341000x800000000000000057343895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.132{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-0F00-00000000F101}92C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057343911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.936{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.936{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9738D4AC8DF7E1D4FBAEE738719FA175,SHA256=E3C42EE7CDAF559F8CCC69C3FE510C764A19EBB16A2DE345ABECF5FB07C9565Dfalsetrue 11241100x800000000000000057343909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.570{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.570{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FBC67DB7482AB7FC83F06FF0F6F4E5,SHA256=1A99F35D8576EDCD5D2071A5898686932FF10C7784C12892A6BB42FC902B7C05falsetrue 23542300x800000000000000021219189Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:49.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B719FAEC22AA00DCA3133BF89574C3,SHA256=250CA4AF6465F606B1C6447EAB188E7E82B914FEA4FDEA119FA9FE3AD29D89E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000057343907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-0C00-00000000F101}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057343914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:50.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:50.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB6C8545350A02E37AA8C716D0F2A8B,SHA256=2A794512BDDB4E5FCFB6D9C280920EED51E6E53114FC4CF206C0A95C1CC403F7falsetrue 23542300x800000000000000021219190Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:50.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560458CA3047A34459117B795745E2D3,SHA256=0A074C6208D566B0B6C199D385ED7D9EEDF6CABD17FBB96DB47D8C1B5726C51B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:21.255{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54500-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057343916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:51.600{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:51.600{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139205E1E545ADB0F575C04E02DF6FB6,SHA256=67AF672CF595D4C4F4975ADA3B2CA438C614954045C0FA77B0845B59C3621FE5falsetrue 23542300x800000000000000021219191Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:51.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7698D0F0C9D1096C818E1BCF938DFF,SHA256=B1191710FB27003EF1B1D03F9988DF628C7EA255EE26E627B72B0C2C1384C6F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:52.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:52.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4A9315CAE98FA30B655E5D5A250D13,SHA256=66B1FECD762DE95C7D3903C5D2DAC04B5E0CE1933246AFEF97F7B395DAB27EC6falsetrue 23542300x800000000000000021219194Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.245{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B14F832FE6B4F31599C42B1F948697,SHA256=DCC02F3A910E341239BBB35D374B654E8FD46FFCE4AFB051D412155FC438CDC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219193Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.245{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B610E362CEC9685C16E327A7356FA7D,SHA256=883840BFA1A47F496C65ED1BF2F5DF262EFCE7CB1ACF4F34BC8A93869323B899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219192Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461AC19B178059EA1E1683DB00CE54AD,SHA256=181CB469D63898259EFA88445A28FB80F0DD2419A8E1B4EA9852AA93A2E551C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.652{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.652{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E057F7175A1EABE528B264A5CCE0D2C8,SHA256=9A7FDF018330D4A0706EFBF7ABDEAA3B736CFDEAEEA9E0C3D8DC685C0B8BCA70falsetrue 354300x800000000000000021219196Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:39.633{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64295-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219195Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:53.089{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE4F96837A268B61950230332C406DF,SHA256=E8504098D6182A8F33E7E2D5CF6744144D57D285A884F38B9B8B67EE25AE2AAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:24.519{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54501-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0395A72D647583BDAA03FB8E9D813D7C,SHA256=A1EFB8A42D929BFA678F3FBF9BF58DE23A560ABA29F0E2C0CBE7689CEA351F68falsetrue 11241100x800000000000000057343929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.668{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.668{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296AB0BCE0B2155A4CBEFA73A81109D2,SHA256=65C08C27BA03657689B0C0672FFDED8257F52C83BD596C196FAFD8A73116F2BBfalsetrue 23542300x800000000000000021219197Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:54.136{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09934B9C691CDAB9BF0E91317A032BF,SHA256=2280572525D3BC1D82055BC4C3DCA57280B5BC692EEF9F1663AC93F4422E9A56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.652{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-11-12 12:14:54.652 11241100x800000000000000057343926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.652{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-11-12 12:14:54.652 11241100x800000000000000057343925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.636{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-11-12 12:14:54.636 11241100x800000000000000057343924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.636{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-11-12 12:14:54.636 11241100x800000000000000057343931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:55.686{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:55.686{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF83B3F52A964A480DD4F9DE4AA58C4,SHA256=07B1782A43A152966C6BC48115AA14A443DFBCDBB251B2EB67F85245FFB0F79Dfalsetrue 23542300x800000000000000021219198Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:55.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4D868EE051E12E41849EABEEA18D2B,SHA256=655CD804CD36E149DAD7BBC4AB98FAE151D0D3EF0A5149F70D5D1A7FB42251F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.700{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.700{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F19B414F8EFEC1AD08F09D9100A194,SHA256=1DA8259EF65B079010E300FF6C66611F97F92EC5F8CA231B0CEE5B35D8801B9Cfalsetrue 23542300x800000000000000021219199Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:56.199{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416C3FD83596EA0F8971273AB324442E,SHA256=E69EF17A3F1808D507FB6A1F312BCC5CF2105F5A1BCFAFFDC958C280927B4CAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057343932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.233{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 11241100x800000000000000057343936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:57.734{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:57.733{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C967848C9BBA53679E643758CB8377D0,SHA256=CE4FE3CB765F8D7B5383EDF797FED159254A92E4F1FAD2D2FC7FA74DA034FD19falsetrue 23542300x800000000000000021219200Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:57.214{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF10907895EB8A18A16DC834D9B884B,SHA256=AB05E43DA04618E7771F796258B4F3E1976881CE0A9C457FC82BCC2A3F93C551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5215E3BCB6560AA16DA8130F0CFEDC,SHA256=BA307D472DDF50F5F5F1E3FC585505E9470D1F9751589F1E9D6A04CF49C8D653falsetrue 354300x800000000000000021219204Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:45.664{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64296-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219203Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB694BBC1E1BE62DF0BA001968447F70,SHA256=32A5028C8A3B230F0646800D4300B167E444B5A540863D60DE0286BC04C51BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219202Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B14F832FE6B4F31599C42B1F948697,SHA256=DCC02F3A910E341239BBB35D374B654E8FD46FFCE4AFB051D412155FC438CDC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219201Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63E226798F606D8F301877B31D95373,SHA256=310305A4F64009BE353D43FCAE91793D4809D195639DDD6DDB0B9BC4681A3CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0C60E7D25ECAAEF011D1F7CD1B5C97,SHA256=EB4632084E8028DF3263E5FD7333F4D93FCB4ADE24A0BD5879F364CE4EFA6B41falsetrue 11241100x800000000000000057343938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.233{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.232{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A9D143C8427B4D0891DD82C25CBD7EE,SHA256=91A97A30FE28B4F0BF272D526873FCE864D7225613CBE4A6912A096B308AE35Afalsetrue 11241100x800000000000000057343945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:59.765{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:59.765{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55853FC8CA2D72D6867BA3409825C667,SHA256=87951FEC8209C94BCAA7FD688F6E364208511CD901B2B83974FC4895685F3248falsetrue 23542300x800000000000000021219205Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:59.292{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF77DD49EABFC6F7C5BA25D6B251824,SHA256=EB963CAABC65E9B4A3C40D5A2978686AAC8844D2A99BE3893238E734ED86E86C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:29.565{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54502-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:00.780{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:00.780{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFCFC01C676CAD1A88B6DD642138574,SHA256=CEAB282BED9653ED67B3215F2BDD2AA40E9C715BD29522DE0C63885E05093B50falsetrue 23542300x800000000000000021219206Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:00.292{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6245E09403290902A5CEAE6BF4BDE1,SHA256=133A8004C4155C2ADAA40CC5CBF7A85E4D735BF4DF47ED85D85E9E55E752E2C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:01.781{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:01.781{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42DB9C80F0200140355D6F62D0D6B66,SHA256=DA3853C7E69CCB9265DB813A6201CDA0C79DE496CF8ECCF1B949A6EFCF5ADFE0falsetrue 23542300x800000000000000021219207Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:01.308{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81880A920765EBCD9198DBF17F9EFFB3,SHA256=CD466FB89091F4BD72D0E4EC1C6CA7B26D002B1558097A93ED71D74AD293328A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:02.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:02.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C358C7F71AAC6132E6708E8BB9FE3A7,SHA256=5C24691976943AEFE3D5C108598DEFF7607F06EEBF2061ABE0874693569700BBfalsetrue 23542300x800000000000000021219208Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:02.323{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE0CE4E70A5160014DB6ACE8E27B922,SHA256=420667B2F03951117A5730F1FE000BA632E32C849D157EA183603C1C1D595C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057343952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:02.533{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:02.528{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 18141800x800000000000000057343950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:02.329{8B6011A9-887D-6164-2D00-00000000F101}3020\lsassC:\Windows\system32\dns.exe 11241100x800000000000000057343961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15DEE38A0E8DABB7D92173FD3EE2845,SHA256=5C62931A630C9451EF67447F09B578D44E200B98BEE057DE0AE6CF28FE1D4574falsetrue 23542300x800000000000000021219209Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:03.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB5D0140390BB5346E854C55ACADF7A,SHA256=1939313D5EFEC1F31DFD1BF7CD55D12960166624C661D3D51A03C97F2C5119DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.601{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54503-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB6AAC2FD73A9FB209DD6E30EE79EB0C,SHA256=C6DCECF16BA56DBF747C855AE6DFE83E730ED83EC68F9F336588264E4AA36903falsetrue 11241100x800000000000000057343956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0C60E7D25ECAAEF011D1F7CD1B5C97,SHA256=EB4632084E8028DF3263E5FD7333F4D93FCB4ADE24A0BD5879F364CE4EFA6B41falsetrue 11241100x800000000000000057343964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:04.830{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:04.830{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4B25D3B0396CDEB4F806B08E9D13B2,SHA256=A287DD56B5AD488C8E88B2AFF575D3C77CCC0B660893F110683B1E91862BAB16falsetrue 354300x800000000000000021219213Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:51.523{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64297-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219212Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD876DE1FA2DC63431E5C9604FA98B3,SHA256=075494299591CC7ED6A262904403AE7D362153BEF597D0C285614CCE8B1D0F87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.880{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54504-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000021219211Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F0678EAC7411914384F870D048218F,SHA256=2DD531E8285F1EDEBA0E0AA53A7BCD870F5DEF1B349FD96D2D1BA8F73D169861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219210Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB694BBC1E1BE62DF0BA001968447F70,SHA256=32A5028C8A3B230F0646800D4300B167E444B5A540863D60DE0286BC04C51BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:05.848{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:05.848{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837386EC8B05C0512E8F796F7D4AEE9B,SHA256=68D6D8509C4068CC33BB6A9B8092C8486AC10D993187256E62DAE51799BF2F7Ffalsetrue 23542300x800000000000000021219214Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:05.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC277A57A76E4F61108940EC6236CEB,SHA256=FA7AD7744D91A950F094059334A283B36FE013C7AE181747A318539959B430E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.880{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.880{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EAF02555F7A18DA0F608BC605D34B7,SHA256=C5BB242CB098CD6CFC7317F5277C10C1CB223131C21B493FC0F708CB3F203E26falsetrue 23542300x800000000000000021219215Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:06.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71019A7D1D642B0DD3331CC34D5A15,SHA256=801951EF252DE63A716E6B5E03CF8797060C8AC64D4FAA8B48452596BF6AF52A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057343973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.751{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44544MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 11241100x800000000000000057343972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.750{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445442021-11-12 12:15:06.750 11241100x800000000000000057343971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.749{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445452021-11-12 12:15:06.749 23542300x800000000000000057343970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.248{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 23542300x800000000000000057343969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.248{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=8D04A3688B9D9310908DD8306CFEDECA,SHA256=27318DCFA5C76A15B2D1F5292DB59514F574AA1D9086E4B458A185FFA73C78B4falsetrue 12241200x800000000000000057343968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:06.095{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:06.079{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000021219217Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:07.622{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA96CC8D6624300F306478AFE664102E,SHA256=B26CDDCF2CBAF63C168EE3CBAAA030AD31E0DCE7101041A6E093CABA8E8910E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219216Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:07.386{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9264FC28040D11F7EF050FDF1993CB,SHA256=831906BE81E1983DFA2BA3D5715932ABD8F6474D47DC88DF4BE85FA6A40E1CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057344026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057344003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057344000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057343999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057343998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057343997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057343996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057343995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057343994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057343993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057343992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057343991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057343990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057343989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057343988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.784{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057343987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057343985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057343983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057343981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.766{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44545MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 354300x800000000000000057343980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-469.attackrange.local61183-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x800000000000000057343979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local64786- 354300x800000000000000057343978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-886D-6164-1400-00000000F101}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local64786-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domain 11241100x800000000000000057343977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB6AAC2FD73A9FB209DD6E30EE79EB0C,SHA256=C6DCECF16BA56DBF747C855AE6DFE83E730ED83EC68F9F336588264E4AA36903falsetrue 10341000x800000000000000021219235Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219234Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219233Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219232Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219231Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219230Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219229Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219228Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.905{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021219227Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.528{AD5E2759-5ACC-618E-FBCD-08000000F101}13205676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219226Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4413E184BB346463FDF307B882106429,SHA256=8F49AA57778FBEA8BCC7AB3E825F79A173EBF3A0759A6EDCAEC9E3D46937C42B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057344102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x800000000000000057344098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.443{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54505-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057344097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.547{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.547{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F00857DC66F18F7E85E57C660BFD7626,SHA256=A125848DB22CB9A5CCE27C886DB364F2E8D4764B069A04DDDB73E0CCAB4D3988falsetrue 734700x800000000000000057344095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.447{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.447{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057344079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.429{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.429{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.428{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.427{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.427{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057344052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.383{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.379{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 18141800x800000000000000057344046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057344044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.379{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997F61B4989E1DE04C0692F16DF78261,SHA256=088C24AE85E01830F72453FFAA5B3BF19065D31074C02D882B951058E3E743A1falsetrue 18141800x800000000000000057344043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000057344041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219225Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219224Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219223Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219222Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219221Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219220Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219219Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219218Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.264{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021219248Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.794{AD5E2759-5ACD-618E-FDCD-08000000F101}59804488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021219247Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:56.588{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64298-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000021219246Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219245Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219244Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219243Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219242Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219241Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219240Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219239Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.592{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219238Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F9345A27CFBC4E6B155530909B77C4,SHA256=7450275A394426191B48E4383A6BD7DA7D2D163ED6C957701C9DB47944DD26BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.847{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.847{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B813601EC4A74703D0BB2EE4611F54CF,SHA256=D0FADB6A183319E24930882A3A210812CA8EE4D5DB09B022717C33BB69263223falsetrue 734700x800000000000000057344214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057344171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.780{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.694{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.694{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663816DC273EA87F243E1B2E84E429F7,SHA256=39C77917010B4178E1C2A2236FA8D1991F78EAB6309ED38CF88EE2E106DEE208falsetrue 534500x800000000000000057344160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}89084624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057344155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.195{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.195{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0198F8412F35DFEF9B289A6983F79E,SHA256=4BE4C5A3C74248FC6B79CC5F37C7A7CA2C7F08DEC08876320A9113A4C70670CCfalsetrue 734700x800000000000000057344153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.080{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219237Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1612729D1147F57418B6F4B367C3C8B,SHA256=1F0F536C6B688367727B17A24C3D4EC81AF3FD1066966078E19958A0AA5EB326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219236Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F0678EAC7411914384F870D048218F,SHA256=2DD531E8285F1EDEBA0E0AA53A7BCD870F5DEF1B349FD96D2D1BA8F73D169861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219267Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219266Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219265Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219264Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219263Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219262Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219261Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219260Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.967{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219259Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.622{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1612729D1147F57418B6F4B367C3C8B,SHA256=1F0F536C6B688367727B17A24C3D4EC81AF3FD1066966078E19958A0AA5EB326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219258Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.482{AD5E2759-5ACE-618E-FECD-08000000F101}16483064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219257Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C77FCBED8E94142F27CE3194CF5644F,SHA256=BE6AC835066FE5A1D8866D761B982519A1288C841C28C469E5A782210704E2F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.779{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.779{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE7B2BF5EE6C337BA5FB69E069372FB6,SHA256=20FBFA2ACF5D3A1C841FAFC7B0CF911278AD24B0F2E56B3A82EE4E118693D23Cfalsetrue 354300x800000000000000057344280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:40.415{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54506-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x800000000000000057344279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.663{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057344278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}52848096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057344275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057344232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.465{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.264{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.264{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CED18287D309809C08CAB51D91952D,SHA256=EB39B80617DD049537F8EFF9C3350235EF72644BB3189E07FBBA254861C08BF7falsetrue 10341000x800000000000000021219256Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219255Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219254Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219253Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219252Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219251Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219250Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219249Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.279{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057344221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}53727892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.994{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.994{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219277Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219276Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219275Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219274Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219273Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219272Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219271Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219270Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.654{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219269Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.403{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31FFDE127DD127AC32CD4A9D99116CA,SHA256=4C63F33A40D4E6C4090C5B70F4484542573694827A1BF04C019158BA7B60EAD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057344357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057344351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.864{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.628{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.628{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06EDC2B4D7B1349B1E468FC445F9431,SHA256=FBBA76C376EC9C30FDF315148AE6DB1B0732CF75633B733D747F70F27E84536Efalsetrue 11241100x800000000000000057344340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.464{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.464{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055AE02E2DCB8D2C26C1F43F28EDBE57,SHA256=96CDCE3ED1CD7C34778656E541B9878CFAB81B7A56ABE3F557CA7C876D3B4359falsetrue 534500x800000000000000057344338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.394{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}91686404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219268Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.075{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.164{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x800000000000000021219289Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.495{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64299-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x800000000000000021219288Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.607{AD5E2759-5AD0-618E-01CE-08000000F101}6003504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219287Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.419{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B44D958F5BCF8E3118DC2F5DC2B0B38,SHA256=3AA814590082E8E2070D4A6E6A316D394A673F265F70092B37A1933595097B73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.463{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.463{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7FA3909462AB033A710626CF0D221E,SHA256=2C87B3D992C31FEE68F59C000BE5DCE47C3418EEBB9A7AEDBA6CAF81E0D05573falsetrue 10341000x800000000000000021219286Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219285Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219284Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219283Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219282Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219281Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219280Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219279Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.342{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219278Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.997{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A832277DF4898193BE3A0EFAE6B7A5,SHA256=0487E9FAB89872798F357181633A287E47AB1DC66DEDF9929F6DC8F01F316764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.163{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.163{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8438AFF0F19E71E3EAF36B96BB7B0D3,SHA256=BFC0ECF0E4CF9F54427F3C04B5F4583553D74F63A0CB6A71ADD71CA6A39D45C3falsetrue 534500x800000000000000057344398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.094{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.094{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.079{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.079{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219291Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:13.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C681EAFBBFC3C6D5B4CCA8BA92ED1043,SHA256=244D75456034F98A1B5235815053A421A04D8143CC2E6C17177BEBE0F969A522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E2BEF7DA52F69CB785F134C2A5BEF4,SHA256=AD1FDCDDEE1059A6A7F45B5F65B559FDE7AE8AAD84562D21F3E76990C4470B51falsetrue 23542300x800000000000000021219290Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:13.356{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBF1C455FB11DC1D812436AF70F480A9,SHA256=834FB16485C0E5A3C363E695326C31522D2767513A0B1A317828EA47E1CEBD90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:45.597{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54507-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.561{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-10-11 18:54:38.077 23542300x800000000000000057344409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.561{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=726F88141901F8B5728F753E7B1B4426,SHA256=E6406F6A79CBD81484F7E174AB88476A6B706868C4D7252AF801F74B3D1B472Bfalsetrue 11241100x800000000000000057344408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F50ABE936C653709A59DFAD406AAD6,SHA256=F17CEDC200154D5D24DB1BFF0359D922BD8A8ACA81D83D5EB0CF1D4A46C9138Afalsetrue 354300x800000000000000021219293Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:01.619{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64300-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219292Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:14.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75998EF452600E4E645FCC0483EB07B8,SHA256=BAC0BA3BE1A7CE01E788E77E264E7CDCD88CA6B778E97A8FBF4F3443C6D20A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.277{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.277{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA5599BA9E82CD1353039CAD5DCEF8A,SHA256=49AB45C898CA8692EF70E83F1F1E0EAE28294CB936C7EF539BD84615DDF681F4falsetrue 11241100x800000000000000057344413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:15.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:15.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4408F21A48DDF96533598B3871FB92BA,SHA256=2DCEDC3C7387F77BB9FE13DD95A276E23564048E09FA3645B806A5A93AC06CBDfalsetrue 23542300x800000000000000021219294Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:15.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478A8C1A388D240A855D3BCBB5E3E5DA,SHA256=FE188A0DCAEC2A58FCE0477BF5B8C853663DEEB919090A78E6E88CFE3B0AED42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219295Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:16.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84E2668FBC8A922EE9C8256714D18D0,SHA256=C0DB76DB3A81CE881F2E50B50947769C9C10DE67E0EB72B73123833E6CA18806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:16.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:16.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEA4F33368D89B0738739E1724CD37A,SHA256=429BA880A32F3152A55B66EABA42DE2BE2F361D0B99201921F48876C0C6FEB68falsetrue 23542300x800000000000000021219297Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:17.453{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38A85FEB8E0D1940B360CE30356DB79,SHA256=EF4E58DCF9026698D2244E436FC9F350EE79BD88F090BB5C079878898E59DE6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:17.526{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:17.526{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8597477DB647BB3405DB15D54F7434DD,SHA256=8B1D45FDE35C2360E30534735F989E295FE4931233A8E2354CCE1888E02070ECfalsetrue 23542300x800000000000000021219296Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:17.298{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79906MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:18.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:18.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C03B6BFC53D3AC772008F177315269B,SHA256=68C224939B9086C1B371ACE5E44D9E77D12655C77FF8DBD74C06930DC3E02F81falsetrue 23542300x800000000000000021219300Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.467{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6DA7DE0DA8840CAD1FA033284AEC10,SHA256=0F6A04D0BCFDEE93BB1A0542D40AA9BB7475D6F7D74BB0073025EE1D6A53B692,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219299Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.297{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79907MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219298Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.141{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-A1B2-6168-2961-04000000F101}3520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057344419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:18.374{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:18.374{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x800000000000000057344429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.726{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54508-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057344428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.726{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54508-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 11241100x800000000000000057344427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.589{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.589{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BF5E26EECC5C4364960E9674AD3C40,SHA256=B491AEF571E147FEF29E36CA41BE49FE81548D15A3A733B005CD468ADF74DD37falsetrue 23542300x800000000000000021219301Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:19.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58164F88E82988DA6309C983CBE5B69,SHA256=2BD83F8320FC8A5B1FF24CDB2589E1A65328B9F2AA611979ACAA20EBF754CE51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91ABF6CC3D7D369431780EE1B18FD69A,SHA256=F3C9709A35E54663FF97C90F7B026E5DB7562A92895A0C589A95554685D19851falsetrue 11241100x800000000000000057344423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA78EA8018F8731756D1BDB1BDFF147F,SHA256=8782FEA90218454CC006C5828E991D580FE14F1417EDD34DFA80669FC10621ECfalsetrue 354300x800000000000000057344432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:51.494{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54509-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:20.603{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:20.603{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956CE488555B9D431A7FFEFB8A97CAE4,SHA256=C10EF0FAA92C197BD9E04E9CDA479D1CE84B800F0C8CD424FB56614963E90C9Afalsetrue 354300x800000000000000021219305Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:07.546{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64301-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219304Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EC772EA9AAF39D7F4E777EC07E9190,SHA256=734CC3DE954211B2919873A663D1DB94F088B4C10E81273FAAC6E794BA37F26D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219303Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.205{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D9C24CB56B17336116C84A2696FEE7,SHA256=356EBA85E1E3AB29420B816EAEFDEF8F2AA93691868B18F7A8515E9A90880FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219302Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.205{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3ACBBCC3163EE28383DEF229E6DCB41,SHA256=E177C3B5C2B424E512D41554FF9BD633827869BFC51A9C5307760094676ADE33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219306Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:21.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C89FD1ADBE82834D88084FAFFF53EBE,SHA256=86ED0162AE101060AFAAE496B5AF8286A0F7A9B0403FDEB74FD88B8A27E10A9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057344471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x800000000000000057344470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x800000000000000057344469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x800000000000000057344468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x800000000000000057344467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7d7be) 13241300x800000000000000057344466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xf69952f1) 13241300x800000000000000057344465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7d7be) 13241300x800000000000000057344464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xf687b1db) 12241200x800000000000000057344463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x800000000000000057344462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x800000000000000057344461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x800000000000000057344460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x800000000000000057344459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x800000000000000057344458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x800000000000000057344457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x800000000000000057344456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-469 12241200x800000000000000057344455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x800000000000000057344454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x800000000000000057344453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x800000000000000057344452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-469$ 12241200x800000000000000057344451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x800000000000000057344450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x800000000000000057344449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x800000000000000057344448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:21.172{8B6011A9-886B-6164-0B00-00000000F101}6489376C:\Windows\system32\lsass.exe{8B6011A9-884A-6164-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x800000000000000057344447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x800000000000000057344446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x800000000000000057344445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172