23542300x800000000000000021219164Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.569{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425BA74B4228C6FE8C31C02930EE7C16,SHA256=4B2D30D4455A8AD7115AEDE82A55FA275690E05303126CED177F2E22D6DF21E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:35.339{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:35.338{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C89B3A0575F3891DA109C6276A71365,SHA256=E79AF8426D4B8FD5953D287A29E99D442762C01F27993D6DD49750BA9ADCBBCBfalsetrue 23542300x800000000000000021219163Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.132{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BF6D0F69F7BB43A84392053972F356,SHA256=77B7B21ED70BCAE971FB68CD3549AF173FA6FAC5187A6F6FF2B31617661BCCEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219162Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:35.132{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C9E95545A6E516316C0B5612230BA73,SHA256=2875474717BAE482CE59F352768AC4B7993CECBF78F18344DD0310BB0F33E4B0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219166Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:36.632{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC0823210E2577D30F86DA1991F53CF,SHA256=8DF73CF36E39A71AFD33DE58A79D2F893F3321361F642C255DEDF7679517C109,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.357{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.357{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0657B32B4C98A9D8FD1128CC64B03856,SHA256=26B5922167352ACC8954B5CDF7997E5CF3FAE4C55038E9AFBFAD60379612B1A1falsetrue 354300x800000000000000021219165Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.551{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64292-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.341{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057343854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:36.341{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 23542300x800000000000000021219167Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:37.694{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44293EA23D0E1B64534411E7C0396D12,SHA256=70034AFD12AA24A89D1995E586DBFFED4363EE9036221BA69CD33411E68DD736,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A6C84A400FB6E72B76DA1F8C1853831,SHA256=770E6DC6BE9B0E1EEF17233AB3263C10747BBA4396E84B12A66B20A9EE413502falsetrue 11241100x800000000000000057343861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3AC4231DBA35EC82CD8E1356C4AF9F,SHA256=ADD62B792347D8AF85C019FD5F1E36B1BAC45E99B1EB606439FCA60A0B8075A1falsetrue 11241100x800000000000000057343859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:37.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5B0C869862CC32561AC94AF5C9256E2,SHA256=DB660A3E6AA8D3E0DF4A5029BCCC00889BAA227C20EB008168727E27B16C511Ffalsetrue 23542300x800000000000000021219168Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:38.726{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678BDB7BC010F782124BD2CC79E4213D,SHA256=6C2FDC0BB854CABD46466CC37BBF73C9542D1BD694D27CFB63192901F4019272,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:38.386{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:38.386{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=950890A13E5FC1FFAD79813078DAF877,SHA256=9EFF8E19F111CEA459DB9D3BEC65163693DB54AD9E1D3ED7145DB1F88CC763FEfalsetrue 354300x800000000000000057343865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.670{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54497-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 354300x800000000000000057343864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.439{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54496-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219169Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:39.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B98657D5B91E5A0FBDB72071837DB16A,SHA256=CD12CDBF908FA1B3861704EA0207DDA08140AB27B782810FEF1673B29FEC3C82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:39.416{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:39.416{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5913E396BDC859F0E81E9079A771D9DB,SHA256=00104EFE3F841A233375023A9638AFF1274B78CF6001E479D539EC414FDED167falsetrue 23542300x800000000000000021219170Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:40.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F016567EAD02D33887BF4193C47B6336,SHA256=20190D8C6E637BBE82FF0FDA0D641F10971658F9CDD3DC474288936F6F55143E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:40.417{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:40.417{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD8547CDFDB85FFB2E4B2D1C6B3E053,SHA256=3EDB2FCAC8972BBDEC0FD4BBEDE2A3F8EB03FCEB079B2A0BFFD36AF36AEF6C8Dfalsetrue 23542300x800000000000000021219173Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.929{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D45358B90AD175CEF2FDB834C00506,SHA256=6DCDB28F6192FFB53ED1F3C51D3C48F30A7753B5915AF1269197C95E124C093A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:41.420{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:41.420{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C7E559A7699C52636B4FD4D3B1A4A2,SHA256=981725DA04300C6B34054CC46ED2ABD022929EB3F755C8557185EA92F3FC1F0Ffalsetrue 23542300x800000000000000021219172Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.382{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C474F335592DF50730468A95FF3A8F29,SHA256=1C08889B4CD183EF8A377FE18357572CCF0E150801AFBD06047C6CCAA0237ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219171Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:41.382{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2BF6D0F69F7BB43A84392053972F356,SHA256=77B7B21ED70BCAE971FB68CD3549AF173FA6FAC5187A6F6FF2B31617661BCCEC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219175Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:42.960{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F0C22848ED9E4FF81E52A60B9C3A3B,SHA256=E472C0191E8D93347A17592B1DA4B9EDA6D94B55459761E50F280A41F248EC3C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.457{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.457{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E67F181A895227BEA96BDDC7E36E73,SHA256=5EE5213F7B42B0C06404F5D992EEC128823DE7A615F66672BAF8271DFABDF4D7falsetrue 354300x800000000000000021219174Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:28.582{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64293-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C1F5A7FB25F839419FCCEE2BCF9AF3,SHA256=E5BCBD9770C493618B088E343F243BFE1703311020D4F5D87282669DCF5A2081falsetrue 11241100x800000000000000057343875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:42.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD3AC4231DBA35EC82CD8E1356C4AF9F,SHA256=ADD62B792347D8AF85C019FD5F1E36B1BAC45E99B1EB606439FCA60A0B8075A1falsetrue 23542300x800000000000000021219176Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:43.960{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=936D5248CD07A0BD6EE68BE942184DDC,SHA256=FC6A7857CCCE25D5604F4B98C528D857D419950F3E0C3435CFF183582DF2E1D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.539{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.538{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C1F5A7FB25F839419FCCEE2BCF9AF3,SHA256=E5BCBD9770C493618B088E343F243BFE1703311020D4F5D87282669DCF5A2081falsetrue 11241100x800000000000000057343882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.472{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:43.472{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0427D36805B76F6D830E6E4F223EFCF8,SHA256=E20573552AD37158A16CF4DCB2B639CC0F736F51AD9059D282CE0B5B72F28BBAfalsetrue 354300x800000000000000057343880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.472{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54498-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219177Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:44.976{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA916D8919A36BCAD0A3DA7252567F8,SHA256=D6DC3933A54B71CF24791001357A2A55DAB4D81EF108265B5AB3A0CE58EBCCFF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.488{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.488{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D41BC4E92A929DC8E7C7881843619B8,SHA256=4E99972F2897005A17B4612705CE35C7321D2A660BD903C7256F4D71B8508C34falsetrue 11241100x800000000000000057343886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.204{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-shm2021-11-12 12:14:44.204 11241100x800000000000000057343885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:44.204{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-wal2021-11-12 12:14:44.204 11241100x800000000000000057343890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:45.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:45.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A69B354C6826D87B7EB7A3EAC442200,SHA256=FE8A0BA010A97F5A634D02FA011E00B8B01CA4833A39B28FDE26E237E79FD668falsetrue 11241100x800000000000000057343892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:46.537{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:46.537{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A14AF2DA4937DDF958A128179FD08B,SHA256=E33E207B4CF05B8D5FC89D233637372986D459BC3068386309A149F528F9D2B0falsetrue 10341000x800000000000000021219181Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.694{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0F00-00000000F101}964C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219180Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.694{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0C00-00000000F101}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219179Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.257{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C474F335592DF50730468A95FF3A8F29,SHA256=1C08889B4CD183EF8A377FE18357572CCF0E150801AFBD06047C6CCAA0237ADA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219178Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:46.007{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CF0953E7E65314E18DCF31635D3573,SHA256=A9DAB33AC75F9B6900B3E19407509EDE5456D9DFDF26A6F418D669BE165D1DF4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:47.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:47.554{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DED9B4595DAEDC949A9DAED75382FE6,SHA256=77697784960BB710F7DB862823DDC0BDCCB17181F608123FC68EE53E1771362Afalsetrue 10341000x800000000000000021219187Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-A1B2-6168-2661-04000000F101}4008C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219186Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1000-00000000F101}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219185Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219184Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.933{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0C00-00000000F101}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021219183Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:33.660{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64294-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219182Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:47.038{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=321766C66548B7349712AB66278D7430,SHA256=0896CBCD7247309921FCDF0CF6753AF6BD26B75DFDB5A15E4661ED86792C6E96,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057343902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:14:48.901{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:14:48.901{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057343900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.569{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.569{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18A7F74E383976AFA10AD0EBF3689CCA,SHA256=79FCC6972A723FEC95264F473B5003061B2B578789EDF41BDF2B92B2FF823803falsetrue 23542300x800000000000000021219188Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:48.042{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F31CFCA7E53D2C077FC1847F008EF322,SHA256=87D67111CF522D26623909E76F97C8303CB29F86BB5082292DF78B71AED51230,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.505{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54499-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D3A5D6BE7339CC666380FA50CF33E4B,SHA256=BF83BED3418C8B06296D541CCE62C22A1C75F720C01360D1388AEA8ADB20DFABfalsetrue 10341000x800000000000000057343895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:48.132{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-0F00-00000000F101}92C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057343911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.936{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.936{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9738D4AC8DF7E1D4FBAEE738719FA175,SHA256=E3C42EE7CDAF559F8CCC69C3FE510C764A19EBB16A2DE345ABECF5FB07C9565Dfalsetrue 11241100x800000000000000057343909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.570{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.570{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3FBC67DB7482AB7FC83F06FF0F6F4E5,SHA256=1A99F35D8576EDCD5D2071A5898686932FF10C7784C12892A6BB42FC902B7C05falsetrue 23542300x800000000000000021219189Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:49.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07B719FAEC22AA00DCA3133BF89574C3,SHA256=250CA4AF6465F606B1C6447EAB188E7E82B914FEA4FDEA119FA9FE3AD29D89E2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000057343907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057343903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:49.154{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-886D-6164-0C00-00000000F101}848C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057343914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:50.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:50.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB6C8545350A02E37AA8C716D0F2A8B,SHA256=2A794512BDDB4E5FCFB6D9C280920EED51E6E53114FC4CF206C0A95C1CC403F7falsetrue 23542300x800000000000000021219190Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:50.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=560458CA3047A34459117B795745E2D3,SHA256=0A074C6208D566B0B6C199D385ED7D9EEDF6CABD17FBB96DB47D8C1B5726C51B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:21.255{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54500-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057343916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:51.600{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:51.600{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=139205E1E545ADB0F575C04E02DF6FB6,SHA256=67AF672CF595D4C4F4975ADA3B2CA438C614954045C0FA77B0845B59C3621FE5falsetrue 23542300x800000000000000021219191Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:51.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7698D0F0C9D1096C818E1BCF938DFF,SHA256=B1191710FB27003EF1B1D03F9988DF628C7EA255EE26E627B72B0C2C1384C6F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:52.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:52.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4A9315CAE98FA30B655E5D5A250D13,SHA256=66B1FECD762DE95C7D3903C5D2DAC04B5E0CE1933246AFEF97F7B395DAB27EC6falsetrue 23542300x800000000000000021219194Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.245{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B14F832FE6B4F31599C42B1F948697,SHA256=DCC02F3A910E341239BBB35D374B654E8FD46FFCE4AFB051D412155FC438CDC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219193Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.245{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B610E362CEC9685C16E327A7356FA7D,SHA256=883840BFA1A47F496C65ED1BF2F5DF262EFCE7CB1ACF4F34BC8A93869323B899,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219192Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:52.074{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461AC19B178059EA1E1683DB00CE54AD,SHA256=181CB469D63898259EFA88445A28FB80F0DD2419A8E1B4EA9852AA93A2E551C9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.652{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.652{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E057F7175A1EABE528B264A5CCE0D2C8,SHA256=9A7FDF018330D4A0706EFBF7ABDEAA3B736CFDEAEEA9E0C3D8DC685C0B8BCA70falsetrue 354300x800000000000000021219196Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:39.633{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64295-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219195Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:53.089{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE4F96837A268B61950230332C406DF,SHA256=E8504098D6182A8F33E7E2D5CF6744144D57D285A884F38B9B8B67EE25AE2AAA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:24.519{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54501-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:53.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0395A72D647583BDAA03FB8E9D813D7C,SHA256=A1EFB8A42D929BFA678F3FBF9BF58DE23A560ABA29F0E2C0CBE7689CEA351F68falsetrue 11241100x800000000000000057343929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.668{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.668{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296AB0BCE0B2155A4CBEFA73A81109D2,SHA256=65C08C27BA03657689B0C0672FFDED8257F52C83BD596C196FAFD8A73116F2BBfalsetrue 23542300x800000000000000021219197Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:54.136{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C09934B9C691CDAB9BF0E91317A032BF,SHA256=2280572525D3BC1D82055BC4C3DCA57280B5BC692EEF9F1663AC93F4422E9A56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.652{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm2021-11-12 12:14:54.652 11241100x800000000000000057343926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.652{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-wal2021-11-12 12:14:54.652 11241100x800000000000000057343925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.636{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm2021-11-12 12:14:54.636 11241100x800000000000000057343924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:54.636{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal2021-11-12 12:14:54.636 11241100x800000000000000057343931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:55.686{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:55.686{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF83B3F52A964A480DD4F9DE4AA58C4,SHA256=07B1782A43A152966C6BC48115AA14A443DFBCDBB251B2EB67F85245FFB0F79Dfalsetrue 23542300x800000000000000021219198Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:55.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC4D868EE051E12E41849EABEEA18D2B,SHA256=655CD804CD36E149DAD7BBC4AB98FAE151D0D3EF0A5149F70D5D1A7FB42251F7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.700{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.700{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9F19B414F8EFEC1AD08F09D9100A194,SHA256=1DA8259EF65B079010E300FF6C66611F97F92EC5F8CA231B0CEE5B35D8801B9Cfalsetrue 23542300x800000000000000021219199Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:56.199{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=416C3FD83596EA0F8971273AB324442E,SHA256=E69EF17A3F1808D507FB6A1F312BCC5CF2105F5A1BCFAFFDC958C280927B4CAC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057343932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:56.233{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\default\https+++vscode.dev\idb\2366965780vbsdc-obdeew-.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 11241100x800000000000000057343936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:57.734{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:57.733{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C967848C9BBA53679E643758CB8377D0,SHA256=CE4FE3CB765F8D7B5383EDF797FED159254A92E4F1FAD2D2FC7FA74DA034FD19falsetrue 23542300x800000000000000021219200Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:57.214{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DF10907895EB8A18A16DC834D9B884B,SHA256=AB05E43DA04618E7771F796258B4F3E1976881CE0A9C457FC82BCC2A3F93C551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5215E3BCB6560AA16DA8130F0CFEDC,SHA256=BA307D472DDF50F5F5F1E3FC585505E9470D1F9751589F1E9D6A04CF49C8D653falsetrue 354300x800000000000000021219204Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:45.664{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64296-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219203Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB694BBC1E1BE62DF0BA001968447F70,SHA256=32A5028C8A3B230F0646800D4300B167E444B5A540863D60DE0286BC04C51BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219202Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B14F832FE6B4F31599C42B1F948697,SHA256=DCC02F3A910E341239BBB35D374B654E8FD46FFCE4AFB051D412155FC438CDC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219201Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:58.261{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A63E226798F606D8F301877B31D95373,SHA256=310305A4F64009BE353D43FCAE91793D4809D195639DDD6DDB0B9BC4681A3CD8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0C60E7D25ECAAEF011D1F7CD1B5C97,SHA256=EB4632084E8028DF3263E5FD7333F4D93FCB4ADE24A0BD5879F364CE4EFA6B41falsetrue 11241100x800000000000000057343938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.233{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:58.232{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A9D143C8427B4D0891DD82C25CBD7EE,SHA256=91A97A30FE28B4F0BF272D526873FCE864D7225613CBE4A6912A096B308AE35Afalsetrue 11241100x800000000000000057343945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:59.765{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:14:59.765{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55853FC8CA2D72D6867BA3409825C667,SHA256=87951FEC8209C94BCAA7FD688F6E364208511CD901B2B83974FC4895685F3248falsetrue 23542300x800000000000000021219205Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:14:59.292{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FF77DD49EABFC6F7C5BA25D6B251824,SHA256=EB963CAABC65E9B4A3C40D5A2978686AAC8844D2A99BE3893238E734ED86E86C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:29.565{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54502-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:00.780{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:00.780{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFCFC01C676CAD1A88B6DD642138574,SHA256=CEAB282BED9653ED67B3215F2BDD2AA40E9C715BD29522DE0C63885E05093B50falsetrue 23542300x800000000000000021219206Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:00.292{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA6245E09403290902A5CEAE6BF4BDE1,SHA256=133A8004C4155C2ADAA40CC5CBF7A85E4D735BF4DF47ED85D85E9E55E752E2C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:01.781{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:01.781{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C42DB9C80F0200140355D6F62D0D6B66,SHA256=DA3853C7E69CCB9265DB813A6201CDA0C79DE496CF8ECCF1B949A6EFCF5ADFE0falsetrue 23542300x800000000000000021219207Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:01.308{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81880A920765EBCD9198DBF17F9EFFB3,SHA256=CD466FB89091F4BD72D0E4EC1C6CA7B26D002B1558097A93ED71D74AD293328A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:02.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:02.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C358C7F71AAC6132E6708E8BB9FE3A7,SHA256=5C24691976943AEFE3D5C108598DEFF7607F06EEBF2061ABE0874693569700BBfalsetrue 23542300x800000000000000021219208Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:02.323{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDE0CE4E70A5160014DB6ACE8E27B922,SHA256=420667B2F03951117A5730F1FE000BA632E32C849D157EA183603C1C1D595C32,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057343952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:02.533{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:02.528{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 18141800x800000000000000057343950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:02.329{8B6011A9-887D-6164-2D00-00000000F101}3020\lsassC:\Windows\system32\dns.exe 11241100x800000000000000057343961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15DEE38A0E8DABB7D92173FD3EE2845,SHA256=5C62931A630C9451EF67447F09B578D44E200B98BEE057DE0AE6CF28FE1D4574falsetrue 23542300x800000000000000021219209Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:03.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDB5D0140390BB5346E854C55ACADF7A,SHA256=1939313D5EFEC1F31DFD1BF7CD55D12960166624C661D3D51A03C97F2C5119DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.601{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54503-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057343958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB6AAC2FD73A9FB209DD6E30EE79EB0C,SHA256=C6DCECF16BA56DBF747C855AE6DFE83E730ED83EC68F9F336588264E4AA36903falsetrue 11241100x800000000000000057343956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:03.296{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD0C60E7D25ECAAEF011D1F7CD1B5C97,SHA256=EB4632084E8028DF3263E5FD7333F4D93FCB4ADE24A0BD5879F364CE4EFA6B41falsetrue 11241100x800000000000000057343964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:04.830{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:04.830{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4B25D3B0396CDEB4F806B08E9D13B2,SHA256=A287DD56B5AD488C8E88B2AFF575D3C77CCC0B660893F110683B1E91862BAB16falsetrue 354300x800000000000000021219213Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:51.523{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64297-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219212Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD876DE1FA2DC63431E5C9604FA98B3,SHA256=075494299591CC7ED6A262904403AE7D362153BEF597D0C285614CCE8B1D0F87,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057343962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.880{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54504-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000021219211Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F0678EAC7411914384F870D048218F,SHA256=2DD531E8285F1EDEBA0E0AA53A7BCD870F5DEF1B349FD96D2D1BA8F73D169861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219210Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:04.152{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB694BBC1E1BE62DF0BA001968447F70,SHA256=32A5028C8A3B230F0646800D4300B167E444B5A540863D60DE0286BC04C51BEB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:05.848{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:05.848{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=837386EC8B05C0512E8F796F7D4AEE9B,SHA256=68D6D8509C4068CC33BB6A9B8092C8486AC10D993187256E62DAE51799BF2F7Ffalsetrue 23542300x800000000000000021219214Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:05.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FC277A57A76E4F61108940EC6236CEB,SHA256=FA7AD7744D91A950F094059334A283B36FE013C7AE181747A318539959B430E9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057343975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.880{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057343974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.880{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56EAF02555F7A18DA0F608BC605D34B7,SHA256=C5BB242CB098CD6CFC7317F5277C10C1CB223131C21B493FC0F708CB3F203E26falsetrue 23542300x800000000000000021219215Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:06.339{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB71019A7D1D642B0DD3331CC34D5A15,SHA256=801951EF252DE63A716E6B5E03CF8797060C8AC64D4FAA8B48452596BF6AF52A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057343973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.751{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44544MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 11241100x800000000000000057343972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.750{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445442021-11-12 12:15:06.750 11241100x800000000000000057343971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.749{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445452021-11-12 12:15:06.749 23542300x800000000000000057343970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.248{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EBfalsetrue 23542300x800000000000000057343969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:06.248{8B6011A9-22EA-6170-2B5F-01000000F101}5544ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\puywnvy0.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=8D04A3688B9D9310908DD8306CFEDECA,SHA256=27318DCFA5C76A15B2D1F5292DB59514F574AA1D9086E4B458A185FFA73C78B4falsetrue 12241200x800000000000000057343968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:06.095{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057343967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:06.079{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000021219217Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:07.622{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=EA96CC8D6624300F306478AFE664102E,SHA256=B26CDDCF2CBAF63C168EE3CBAAA030AD31E0DCE7101041A6E093CABA8E8910E8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219216Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:07.386{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B9264FC28040D11F7EF050FDF1993CB,SHA256=831906BE81E1983DFA2BA3D5715932ABD8F6474D47DC88DF4BE85FA6A40E1CD1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.814{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057344026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057344003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057344000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057343999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057343998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057343997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057343996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057343995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057343994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057343993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057343992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057343991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057343990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057343989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.799{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057343988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.784{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057343987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057343985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057343983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057343982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:07.783{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057343981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.766{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44545MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 354300x800000000000000057343980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-469.attackrange.local61183-false10.0.0.2ip-10-0-0-2.us-west-2.compute.internal53domain 354300x800000000000000057343979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local64786- 354300x800000000000000057343978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.431{8B6011A9-886D-6164-1400-00000000F101}1068C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local64786-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domain 11241100x800000000000000057343977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057343976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:07.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB6AAC2FD73A9FB209DD6E30EE79EB0C,SHA256=C6DCECF16BA56DBF747C855AE6DFE83E730ED83EC68F9F336588264E4AA36903falsetrue 10341000x800000000000000021219235Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219234Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219233Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219232Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219231Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219230Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219229Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.919{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219228Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.905{AD5E2759-5ACC-618E-FCCD-08000000F101}4216C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021219227Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.528{AD5E2759-5ACC-618E-FBCD-08000000F101}13205676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219226Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4413E184BB346463FDF307B882106429,SHA256=8F49AA57778FBEA8BCC7AB3E825F79A173EBF3A0759A6EDCAEC9E3D46937C42B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057344102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.694{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x800000000000000057344098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.443{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54505-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057344097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.547{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.547{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F00857DC66F18F7E85E57C660BFD7626,SHA256=A125848DB22CB9A5CCE27C886DB364F2E8D4764B069A04DDDB73E0CCAB4D3988falsetrue 734700x800000000000000057344095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.463{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.447{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.447{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057344079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.432{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.431{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.430{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.429{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.429{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.428{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.427{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.427{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057344052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.410{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.383{8B6011A9-5ACC-618E-32F3-04000000F101}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.379{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 18141800x800000000000000057344046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057344044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.379{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=997F61B4989E1DE04C0692F16DF78261,SHA256=088C24AE85E01830F72453FFAA5B3BF19065D31074C02D882B951058E3E743A1falsetrue 18141800x800000000000000057344043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:08.379{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000057344041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:08.010{8B6011A9-5ACB-618E-31F3-04000000F101}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219225Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219224Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219223Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219222Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219221Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219220Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219219Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.278{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219218Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:08.264{AD5E2759-5ACC-618E-FBCD-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021219248Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.794{AD5E2759-5ACD-618E-FDCD-08000000F101}59804488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000021219247Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:56.588{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64298-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000021219246Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219245Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219244Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219243Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219242Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219241Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219240Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.607{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219239Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.592{AD5E2759-5ACD-618E-FDCD-08000000F101}5980C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219238Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91F9345A27CFBC4E6B155530909B77C4,SHA256=7450275A394426191B48E4383A6BD7DA7D2D163ED6C957701C9DB47944DD26BF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.847{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.847{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B813601EC4A74703D0BB2EE4611F54CF,SHA256=D0FADB6A183319E24930882A3A210812CA8EE4D5DB09B022717C33BB69263223falsetrue 734700x800000000000000057344214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.810{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057344171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.794{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.780{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.779{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.694{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.694{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=663816DC273EA87F243E1B2E84E429F7,SHA256=39C77917010B4178E1C2A2236FA8D1991F78EAB6309ED38CF88EE2E106DEE208falsetrue 534500x800000000000000057344160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}89084624C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.264{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057344155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.195{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.195{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0198F8412F35DFEF9B289A6983F79E,SHA256=4BE4C5A3C74248FC6B79CC5F37C7A7CA2C7F08DEC08876320A9113A4C70670CCfalsetrue 734700x800000000000000057344153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.110{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.095{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.080{8B6011A9-5ACD-618E-33F3-04000000F101}8908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:09.079{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219237Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1612729D1147F57418B6F4B367C3C8B,SHA256=1F0F536C6B688367727B17A24C3D4EC81AF3FD1066966078E19958A0AA5EB326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219236Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:09.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05F0678EAC7411914384F870D048218F,SHA256=2DD531E8285F1EDEBA0E0AA53A7BCD870F5DEF1B349FD96D2D1BA8F73D169861,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219267Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219266Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219265Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219264Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219263Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219262Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219261Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.982{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219260Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.967{AD5E2759-5ACE-618E-FFCD-08000000F101}5684C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219259Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.622{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1612729D1147F57418B6F4B367C3C8B,SHA256=1F0F536C6B688367727B17A24C3D4EC81AF3FD1066966078E19958A0AA5EB326,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219258Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.482{AD5E2759-5ACE-618E-FECD-08000000F101}16483064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219257Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.388{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C77FCBED8E94142F27CE3194CF5644F,SHA256=BE6AC835066FE5A1D8866D761B982519A1288C841C28C469E5A782210704E2F8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.779{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.779{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE7B2BF5EE6C337BA5FB69E069372FB6,SHA256=20FBFA2ACF5D3A1C841FAFC7B0CF911278AD24B0F2E56B3A82EE4E118693D23Cfalsetrue 354300x800000000000000057344280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:40.415{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54506-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x800000000000000057344279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.663{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057344278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}52848096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.648{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057344275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.495{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057344232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.479{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.465{8B6011A9-5ACE-618E-35F3-04000000F101}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:10.464{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.264{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.264{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CED18287D309809C08CAB51D91952D,SHA256=EB39B80617DD049537F8EFF9C3350235EF72644BB3189E07FBBA254861C08BF7falsetrue 10341000x800000000000000021219256Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219255Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219254Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219253Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219252Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219251Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219250Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.299{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219249Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:10.279{AD5E2759-5ACE-618E-FECD-08000000F101}1648C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057344221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:10.010{8B6011A9-5ACD-618E-34F3-04000000F101}53727892C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.994{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:09.994{8B6011A9-5ACD-618E-34F3-04000000F101}5372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219277Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219276Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219275Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219274Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219273Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219272Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219271Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.669{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219270Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.654{AD5E2759-5ACF-618E-00CE-08000000F101}4924C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219269Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.403{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E31FFDE127DD127AC32CD4A9D99116CA,SHA256=4C63F33A40D4E6C4090C5B70F4484542573694827A1BF04C019158BA7B60EAD4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.910{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.895{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057344357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057344351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.879{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.864{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.863{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.628{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.628{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06EDC2B4D7B1349B1E468FC445F9431,SHA256=FBBA76C376EC9C30FDF315148AE6DB1B0732CF75633B733D747F70F27E84536Efalsetrue 11241100x800000000000000057344340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.464{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.464{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=055AE02E2DCB8D2C26C1F43F28EDBE57,SHA256=96CDCE3ED1CD7C34778656E541B9878CFAB81B7A56ABE3F557CA7C876D3B4359falsetrue 534500x800000000000000057344338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.394{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}91686404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.379{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219268Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.075{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.210{8B6011A9-5ACF-618E-36F3-04000000F101}9168\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.194{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.179{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:11.164{8B6011A9-5ACF-618E-36F3-04000000F101}9168C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:15:11.163{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x800000000000000021219289Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.495{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64299-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 10341000x800000000000000021219288Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.607{AD5E2759-5AD0-618E-01CE-08000000F101}6003504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219287Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.419{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B44D958F5BCF8E3118DC2F5DC2B0B38,SHA256=3AA814590082E8E2070D4A6E6A316D394A673F265F70092B37A1933595097B73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.463{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.463{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7FA3909462AB033A710626CF0D221E,SHA256=2C87B3D992C31FEE68F59C000BE5DCE47C3418EEBB9A7AEDBA6CAF81E0D05573falsetrue 10341000x800000000000000021219286Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219285Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219284Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219283Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219282Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219281Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219280Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.357{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219279Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:12.342{AD5E2759-5AD0-618E-01CE-08000000F101}600C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219278Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:11.997{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=38A832277DF4898193BE3A0EFAE6B7A5,SHA256=0487E9FAB89872798F357181633A287E47AB1DC66DEDF9929F6DC8F01F316764,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.163{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.163{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8438AFF0F19E71E3EAF36B96BB7B0D3,SHA256=BFC0ECF0E4CF9F54427F3C04B5F4583553D74F63A0CB6A71ADD71CA6A39D45C3falsetrue 534500x800000000000000057344398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.094{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057344397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.094{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.079{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:12.079{8B6011A9-5ACF-618E-37F3-04000000F101}9584C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219291Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:13.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C681EAFBBFC3C6D5B4CCA8BA92ED1043,SHA256=244D75456034F98A1B5235815053A421A04D8143CC2E6C17177BEBE0F969A522,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:13.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E2BEF7DA52F69CB785F134C2A5BEF4,SHA256=AD1FDCDDEE1059A6A7F45B5F65B559FDE7AE8AAD84562D21F3E76990C4470B51falsetrue 23542300x800000000000000021219290Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:13.356{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBF1C455FB11DC1D812436AF70F480A9,SHA256=834FB16485C0E5A3C363E695326C31522D2767513A0B1A317828EA47E1CEBD90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:45.597{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54507-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.561{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-10-11 18:54:38.077 23542300x800000000000000057344409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.561{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=726F88141901F8B5728F753E7B1B4426,SHA256=E6406F6A79CBD81484F7E174AB88476A6B706868C4D7252AF801F74B3D1B472Bfalsetrue 11241100x800000000000000057344408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.477{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F50ABE936C653709A59DFAD406AAD6,SHA256=F17CEDC200154D5D24DB1BFF0359D922BD8A8ACA81D83D5EB0CF1D4A46C9138Afalsetrue 354300x800000000000000021219293Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:01.619{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64300-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219292Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:14.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75998EF452600E4E645FCC0483EB07B8,SHA256=BAC0BA3BE1A7CE01E788E77E264E7CDCD88CA6B778E97A8FBF4F3443C6D20A14,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.277{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:14.277{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DDA5599BA9E82CD1353039CAD5DCEF8A,SHA256=49AB45C898CA8692EF70E83F1F1E0EAE28294CB936C7EF539BD84615DDF681F4falsetrue 11241100x800000000000000057344413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:15.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:15.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4408F21A48DDF96533598B3871FB92BA,SHA256=2DCEDC3C7387F77BB9FE13DD95A276E23564048E09FA3645B806A5A93AC06CBDfalsetrue 23542300x800000000000000021219294Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:15.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=478A8C1A388D240A855D3BCBB5E3E5DA,SHA256=FE188A0DCAEC2A58FCE0477BF5B8C853663DEEB919090A78E6E88CFE3B0AED42,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219295Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:16.450{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C84E2668FBC8A922EE9C8256714D18D0,SHA256=C0DB76DB3A81CE881F2E50B50947769C9C10DE67E0EB72B73123833E6CA18806,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:16.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:16.507{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CEA4F33368D89B0738739E1724CD37A,SHA256=429BA880A32F3152A55B66EABA42DE2BE2F361D0B99201921F48876C0C6FEB68falsetrue 23542300x800000000000000021219297Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:17.453{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38A85FEB8E0D1940B360CE30356DB79,SHA256=EF4E58DCF9026698D2244E436FC9F350EE79BD88F090BB5C079878898E59DE6B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:17.526{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:17.526{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8597477DB647BB3405DB15D54F7434DD,SHA256=8B1D45FDE35C2360E30534735F989E295FE4931233A8E2354CCE1888E02070ECfalsetrue 23542300x800000000000000021219296Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:17.298{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79906MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:18.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:18.574{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C03B6BFC53D3AC772008F177315269B,SHA256=68C224939B9086C1B371ACE5E44D9E77D12655C77FF8DBD74C06930DC3E02F81falsetrue 23542300x800000000000000021219300Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.467{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6DA7DE0DA8840CAD1FA033284AEC10,SHA256=0F6A04D0BCFDEE93BB1A0542D40AA9BB7475D6F7D74BB0073025EE1D6A53B692,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219299Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.297{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79907MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219298Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:18.141{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-A1B2-6168-2961-04000000F101}3520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 12241200x800000000000000057344419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:18.374{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:18.374{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 354300x800000000000000057344429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.726{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54508-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057344428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.726{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54508-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 11241100x800000000000000057344427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.589{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.589{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8BF5E26EECC5C4364960E9674AD3C40,SHA256=B491AEF571E147FEF29E36CA41BE49FE81548D15A3A733B005CD468ADF74DD37falsetrue 23542300x800000000000000021219301Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:19.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B58164F88E82988DA6309C983CBE5B69,SHA256=2BD83F8320FC8A5B1FF24CDB2589E1A65328B9F2AA611979ACAA20EBF754CE51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91ABF6CC3D7D369431780EE1B18FD69A,SHA256=F3C9709A35E54663FF97C90F7B026E5DB7562A92895A0C589A95554685D19851falsetrue 11241100x800000000000000057344423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:19.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA78EA8018F8731756D1BDB1BDFF147F,SHA256=8782FEA90218454CC006C5828E991D580FE14F1417EDD34DFA80669FC10621ECfalsetrue 354300x800000000000000057344432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:51.494{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54509-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:20.603{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:20.603{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956CE488555B9D431A7FFEFB8A97CAE4,SHA256=C10EF0FAA92C197BD9E04E9CDA479D1CE84B800F0C8CD424FB56614963E90C9Afalsetrue 354300x800000000000000021219305Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:07.546{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64301-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219304Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18EC772EA9AAF39D7F4E777EC07E9190,SHA256=734CC3DE954211B2919873A663D1DB94F088B4C10E81273FAAC6E794BA37F26D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219303Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.205{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D9C24CB56B17336116C84A2696FEE7,SHA256=356EBA85E1E3AB29420B816EAEFDEF8F2AA93691868B18F7A8515E9A90880FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219302Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:20.205{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3ACBBCC3163EE28383DEF229E6DCB41,SHA256=E177C3B5C2B424E512D41554FF9BD633827869BFC51A9C5307760094676ADE33,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219306Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:21.470{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C89FD1ADBE82834D88084FAFFF53EBE,SHA256=86ED0162AE101060AFAAE496B5AF8286A0F7A9B0403FDEB74FD88B8A27E10A9F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057344471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\PolicyOverdueDWORD (0x00000000) 12241200x800000000000000057344470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 13241300x800000000000000057344469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\LoggingStatusDWORD (0x00000000) 13241300x800000000000000057344468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StatusDWORD (0x00000000) 13241300x800000000000000057344467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeHiDWORD (0x01d7d7be) 13241300x800000000000000057344466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\EndTimeLoDWORD (0xf69952f1) 13241300x800000000000000057344465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeHiDWORD (0x01d7d7be) 13241300x800000000000000057344464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}\StartTimeLoDWORD (0xf687b1db) 12241200x800000000000000057344463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000} 12241200x800000000000000057344462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List 12241200x800000000000000057344461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine 13241300x800000000000000057344460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\LastExtensionMadeSyncRequest{00000000-0000-0000-0000-000000000000} 13241300x800000000000000057344459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshReasonDWORD (0x00000007) 13241300x800000000000000057344458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\NextRefreshModeDWORD (0x00000001) 12241200x800000000000000057344457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\ServiceInstances 13241300x800000000000000057344456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szTargetNameWIN-DC-469 12241200x800000000000000057344455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x800000000000000057344454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x800000000000000057344453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 13241300x800000000000000057344452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0\szNameATTACKRANGE\WIN-DC-469$ 12241200x800000000000000057344451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine\0 12241200x800000000000000057344450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 12241200x800000000000000057344449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\DataStore\Machine 10341000x800000000000000057344448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:21.172{8B6011A9-886B-6164-0B00-00000000F101}6489376C:\Windows\system32\lsass.exe{8B6011A9-884A-6164-0100-00000000F101}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 12241200x800000000000000057344447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x800000000000000057344446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\IsSlowLinkDWORD (0x00000000) 12241200x800000000000000057344445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.172{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x800000000000000057344444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 18141800x800000000000000057344443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316\lsassC:\Windows\System32\svchost.exe 12241200x800000000000000057344442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 13241300x800000000000000057344440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\NetworkNameus-west-2.compute.internal 13241300x800000000000000057344439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\DCName\\win-dc-469.attackrange.local 12241200x800000000000000057344438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History 12241200x800000000000000057344437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness 12241200x800000000000000057344436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057344434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Cache 12241200x800000000000000057344433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:21.056{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy 10341000x800000000000000021219310Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.595{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219309Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.595{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219308Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.595{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1600-00000000F101}1196C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219307Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:22.580{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F896E83E432FFFC0D8376889E1B66663,SHA256=69674D17D793E5D8861CC61FD351BA6D83C4B3E834B72707D6A1F4E6DB62B626,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.527{8B6011A9-884A-6164-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54514-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local445microsoft-ds 354300x800000000000000057344484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.527{8B6011A9-884A-6164-0100-00000000F101}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54514-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local445microsoft-ds 354300x800000000000000057344483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.418{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-469.attackrange.local54513-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000057344482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.418{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54513-false10.0.1.14win-dc-469.attackrange.local389ldap 354300x800000000000000057344481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.411{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54512-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local389ldap 354300x800000000000000057344480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.410{8B6011A9-886E-6164-1600-00000000F101}1316C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54512-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local389ldap 354300x800000000000000057344479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.410{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54511-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local49666- 354300x800000000000000057344478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.410{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54511-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local49666- 354300x800000000000000057344477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.409{8B6011A9-886D-6164-0D00-00000000F101}904C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54510-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local135epmap 354300x800000000000000057344476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.409{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local54510-truefe80:0:0:0:2117:fdb0:db44:3240win-dc-469.attackrange.local135epmap 11241100x800000000000000057344475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:22.088{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:22.088{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91ABF6CC3D7D369431780EE1B18FD69A,SHA256=F3C9709A35E54663FF97C90F7B026E5DB7562A92895A0C589A95554685D19851falsetrue 11241100x800000000000000057344473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:22.021{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:22.020{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A5EC4BA652D453C34EDA92743867387,SHA256=CAA91A3D2FE64BD7E901C79A7E90FC0C194EEC3A597CD74BACCABFBD11304742falsetrue 23542300x800000000000000021219311Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:23.627{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8D6EBA130FDC0F05C0517BF031B7F1,SHA256=7A1358F19BF306C5BFB7AA8ED2F7AE8BB4CA0E32EFB6F25DDE7530C015DB9D51,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:23.555{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:23.555{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B32D3FB81BE600EB6CF6D9B8DB9D9A17,SHA256=764F0A5879E21E7CC2372E84BDC96FD3BC901066EF4A2633BC0DC9DD0B9EF657falsetrue 11241100x800000000000000057344487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:23.040{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:23.040{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42EB4AA6AD9EDF7BFE1D537F0A5AF47D,SHA256=EC62E40E7AB89E4BDA716858037E6BFE8C8F62EF295116F91B1BBC2BD62C0575falsetrue 23542300x800000000000000021219312Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:24.627{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304B795D520C802A5DA1E1D5BE68B139,SHA256=D1FEEF0D8E9D4F7FF1D4B5F0F54E1C512618DBA8145860A430E364A84A05D3C3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:24.055{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:24.055{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=462581D478488F3C1EDE8F4AA1DC919F,SHA256=FBD28D4AD4D49693E20055A12471643BEE18406DBF6159CA91CD921D5541EC8Cfalsetrue 23542300x800000000000000021219314Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:25.658{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734002B42A0A3EC2D189DE1E8FC9C3C9,SHA256=E2C645D7F0E3183F0CF094476022FADCE2ECB823BB5A75DE1FFE126F0A9EEA6D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:25.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:25.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B1B6F8B0EF5367D4D978B5132D3D81,SHA256=4F75D3B97912C893C48DF003A522D56C9DF61A62F4C7F131C736662608FA7B08falsetrue 10341000x800000000000000021219313Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:25.017{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-1C00-00000000F101}2012C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219317Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:26.658{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F8C6BB378DE68D2D5E4814A1EB9908,SHA256=824B98B0410E60DE6AD6D5E980FAD60CF0BBB8F8860EE1FF4F5CB4725AF4851F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:57.473{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54515-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:26.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:26.142{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8559A14C71A6AFE42DCD2E9660EB5AF6,SHA256=87BD38559FC657A34E03C58FBA0C8EFFDCB4FF3757A228BC56477D43F51C648Afalsetrue 11241100x800000000000000057344495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:26.104{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:26.104{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C166B300537D19E96E7C2E050C7310,SHA256=97F09CE9B09F4FF2C4B2207BF20375A68A4B0130B080804EDDF6411D584237CAfalsetrue 23542300x800000000000000021219316Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:26.111{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=990161C235A5D894473AB315A605D7E5,SHA256=CC3BCC1AAB10563D8C903787936C8CB64796292716A400976116D412CEC8BE0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219315Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:26.111{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D9C24CB56B17336116C84A2696FEE7,SHA256=356EBA85E1E3AB29420B816EAEFDEF8F2AA93691868B18F7A8515E9A90880FD6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219319Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:27.673{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54887B3D7ACAE41786B69BDB58A80AF6,SHA256=82979806402702D303AF8FBD00AA935453D6FB30DC0224CF3BF329F1B48DB9B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:27.125{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:27.124{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AD2C22205BFA7182459695E3A56F475,SHA256=0DC5BDF0CD976E97EC01C5CD6BA12C3F57972D6945B189CED8D2430697A3DCEDfalsetrue 354300x800000000000000021219318Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:13.514{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64302-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219320Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:28.673{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E36F07A127CE2227D9B6B64A762F8EFC,SHA256=B94360CCAD909177035C518E2DF49FAAE8AD9AD4B1834A58FEBE5789E473B873,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:28.555{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:28.555{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05E24844881CF47453E368329EC12F31,SHA256=0B9E03B84F10AF6ABAD166D1AC85A182D10C690550D11E1001EC899A543AAF79falsetrue 11241100x800000000000000057344502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:28.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:28.140{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15A3E78BCD772595EE17C9A21D190915,SHA256=5F643E186C7CDBD9A09BCC486AB48AC109C18B2C0F6949672520B7C15F3639D5falsetrue 23542300x800000000000000021219321Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:29.673{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E0AEAF92ADA659A84668CA9E31A8A73,SHA256=909C07EF81D307D88D66D53B0CFE7CCF577900671EACF3A909ACE6D8D5B7964F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:29.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:29.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3346FBC0D0172109F2A74314A573C7,SHA256=73DAEBBF2D99429F62155263F0EAE196018582BCEBDEE7B232CE0D992EFF60F3falsetrue 23542300x800000000000000021219322Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:30.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF6485368CBFA6B0340323696D84688,SHA256=CD895EBF70C92EEF8530C922E5D1B158059619972EF83033C715DD866EBEBA54,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:30.170{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:30.170{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF73B4B387B3B61D6D113DDAFE7F6A06,SHA256=AD1856AB03D18941550B89DE15695B656EC185CE4FA2BE060A0D3779160F8A37falsetrue 23542300x800000000000000021219323Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:31.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A074B0CD6DDB8580699B1B868F5CE62E,SHA256=86022F616C46380CA42CF56B2953B8AA737C638575B8CB56BD05E93BC6E83160,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:31.201{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:31.201{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEE39DD27615C3D3F54175338603FA55,SHA256=D56A3F3DF8B2C007136AEDCBFE6004CA344F4A74641A389F2CEF6E82CA0BC13Bfalsetrue 11241100x800000000000000057344510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:31.154{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:31.154{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3A9A43C4C0227398FF1322E2102DE33,SHA256=829837C4F92164344D34760BE65871A21CE021FD7C9A80EA417F70436F6AFC87falsetrue 23542300x800000000000000021219327Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:32.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B034E3F1334F2239B209331A71E2EB,SHA256=EBC977B88D466D3337DFC002A4F7C7C58B87BC23F834058F362B07F2FFF77328,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:32.918{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:32.918{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50657E4C95564F08A3EFDDA083E71E57,SHA256=B360E7C5614A7B24EF01C7CE82F4A591AEF042B5C085BF8F5A98BFD8C09BC7B8falsetrue 11241100x800000000000000057344515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:32.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:32.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=763535E341B218F98ADF7AE375B63C85,SHA256=3622FA6A6A6AE52050B520DB715F36F6B7B264F935D432925B752E90687634B8falsetrue 354300x800000000000000021219326Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:19.467{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64303-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219325Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:32.064{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACEECBF68BAB30261431F4166B636BD3,SHA256=D8613C650ED46D8F7F71230A4127CA16A9973222050E3C74FBB43F1F079BAFC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219324Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:32.064{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=990161C235A5D894473AB315A605D7E5,SHA256=CC3BCC1AAB10563D8C903787936C8CB64796292716A400976116D412CEC8BE0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:02.491{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54516-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219328Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:33.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA09F64CD882F57402CAB7062714E851,SHA256=DBEC7D8EEBE82ED0E95B45751F34FA68FF67BA528836A4D6293E590E6301260A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:33.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:33.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E752EC45967FCA1FC176CF9EE6ACCB2B,SHA256=331EE0E904D3A10E504C93350B3A77D22D672C7868F7E301D6FB43518489221Ffalsetrue 23542300x800000000000000021219329Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:34.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E790F7185BFCA38803D718162673D3,SHA256=93F3AB0D7439D51BC693EAD344385A20112CFD8BD3EFC1758D5842E86ED71BFE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.283{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:34.283{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAB338E139EED3152F1527D50497577,SHA256=8FE3EF0B453DAA254A54B2EF7504DDAA7573584DC061B14CD5357D01743B30F7falsetrue 23542300x800000000000000021219330Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:35.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33BFE72A9619D8F3A59D2BB455CE5EF,SHA256=92637DDA4FCA6996FBBB3347BE8B0B4F82E33C11BC2A9DB9B1F253C5A64D6572,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:35.299{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:35.299{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D60CC3804914E51B8E3DBC2279AD67,SHA256=081D7B3B7E169BF1D192C50D7421EF934E382C8771B3555389A6A555C2BC3529falsetrue 11241100x800000000000000057344529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.351{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057344528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.351{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 11241100x800000000000000057344527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.335{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.335{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F2F235CE56A450B53F24CA4F4C0DE0F,SHA256=C999A528B9464B44509144A5A3B991F402895F2084762F78FAD55231F8A0B1BEfalsetrue 23542300x800000000000000021219331Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:36.689{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=706D61DFAC35F15B6CF232DE4D5AF164,SHA256=F33D32109579CF44EC307A4FAACE3F66C0A94311EB2F4845DDE04144B835F5AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.235{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:36.235{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14A9FE37E02ED5CED394DAE30259C437,SHA256=9D238C763A9D060D9F0F932A7ADFEAD8CB3607E5A707EEB4944A32FFF6EBE5DDfalsetrue 23542300x800000000000000021219334Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:37.690{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B069668C70B6DDFA57F22B305A6E2BE,SHA256=2FAAABCE0719FD5E962516A529EAB98EA619517A623738E71F8A638C4C6F1BAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:37.352{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:37.352{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=94184E8B3B2C3AD1C8EE420258092E0A,SHA256=1A3F7F2FD2CE756227C69E1929ABBBB28B24E9E13ECE296CE0476B9B1847BF7Dfalsetrue 11241100x800000000000000057344532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:37.336{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:37.336{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1468840748911D8EFBAD77F3C6840E6,SHA256=6D45999A6F4B0B195F37E01B8932F986ED3E70A96DBD8D31180F085DF0D6346Afalsetrue 354300x800000000000000057344530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.566{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54517-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219333Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:37.236{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCAC179B756242E3EB721F342234E570,SHA256=42A69726E0030A8DC0488C9B6F896BBF28B029DD67AA952347D730F28CB8190B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219332Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:37.236{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACEECBF68BAB30261431F4166B636BD3,SHA256=D8613C650ED46D8F7F71230A4127CA16A9973222050E3C74FBB43F1F079BAFC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219336Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:38.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0812EDFDA2300E953FD9B5552C36604,SHA256=A7B20E75EDDBE2C406AE257CD806BC476A9A0D1ECDCAB28225AC9AA688847EC5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.350{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:38.350{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=219D9467831ED63AD0C36E98CBD07DB1,SHA256=39443353127405A228243DE6EC1ACD38E499C4E808F631F9AB52DDF60440EFAAfalsetrue 354300x800000000000000021219335Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:24.655{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64304-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057344535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.702{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54518-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000021219337Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:39.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=662850C2E8328635011CD1925024C8B7,SHA256=4EF4FAE1E78FEFF441059B08721D656BFBFDD7ECE2379E799E6166144DB988C5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:39.366{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:39.366{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809A9AD33D754EC3C856DFABC964CB64,SHA256=A83745ED75D8E016E7B69139405E23B53F0F6E8699D73256AB1DEB8F0C800FF5falsetrue 23542300x800000000000000021219338Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:40.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78535DC3FB61AD73852E7EF5E997EB5,SHA256=D21E618101D2313263B2B0D0201F4080249483EB02550C2AE2E2332C8B6A71DB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:40.381{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:40.381{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=914B122F1FAE576C6FAF146A8C85FCA7,SHA256=0B4C12960C952FAF76F727434651B6C1F02EED79B7A86E40ACF9EAD82A1F4CA9falsetrue 23542300x800000000000000021219339Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:41.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F3C8304DDE3D601FAD29C8B534F0ED,SHA256=807D9CC2FC51B046697101772793ADAC8CBC67B5FC88D8464B42C3BC7B45CA12,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:41.382{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:41.382{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5491BA02D5C203813487A702E1CD25FF,SHA256=636D9A48928DA0FEB7847CFC2971CA5980C62E727E4F1F8FB2230C9D32D9C494falsetrue 11241100x800000000000000057344543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:41.235{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:41.235{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05B71D32AE628E3E506103B2FA867037,SHA256=C85E7D97268E6EE0C78CF90C09242FA56F87E44F793A9167DFD1230D3B5A913Ffalsetrue 23542300x800000000000000021219340Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:42.704{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DC4B40B090D6CD6293CF522DEAB24C,SHA256=73509A21386DFF0BAE12197F5D86A77C3FAC785DDFCCC7E1F7353E9FA35B5646,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:42.385{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:42.385{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583C570B501A70A2D5E2EEB84E666BFE,SHA256=02787B060D0ADAAB0D489316525EA91A87A84A8261CA6A6CAF3831D2532EBD69falsetrue 354300x800000000000000057344546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.585{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54519-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219344Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:43.705{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C6204EF3816F2680A6509CB1D173626,SHA256=6882EB7A3775877951FEBF0FDAA97EC6BD34D42517E10298FDAAAF7F94C055C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:43.568{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:43.568{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D81CB6A968A93B00901574276AF5A62,SHA256=61046FFA6BCE944BB3F084B967153E26EBB32A45A4FAA0453A1156BC960164A2falsetrue 11241100x800000000000000057344550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:43.400{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:43.400{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DE6CAFD952FA2C5F4223B9162C98905,SHA256=6A8A2B0EF9BAA0F536A1800E22366F3045293A24555D0B4630F42845492E393Dfalsetrue 354300x800000000000000021219343Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:30.499{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64305-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219342Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:43.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA9C711A8F0E42631068669DF62C7682,SHA256=D38721D54B6525E813B70B7464F32D0539E50A21E165A38E2E9105076DDCD1A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219341Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:43.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCAC179B756242E3EB721F342234E570,SHA256=42A69726E0030A8DC0488C9B6F896BBF28B029DD67AA952347D730F28CB8190B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219345Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:44.720{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B854A4AE1BA61CBB8998ECCC087570,SHA256=1E88129B46BFE45BC7BCB09B3B989636675282C5EDCC804C75050F066676DB1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:44.418{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:44.418{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C7FEE9DAF221E494B91B7ACE1A782C0,SHA256=F3859B8381774D78B9F50778CA3CC97631A1A3F99F3C67B7C2F1E512B36A6D69falsetrue 23542300x800000000000000021219346Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:45.720{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B54E0EC11F6938C0719C790AE0026B0,SHA256=6AA8D4DFA370C7AB544F38864021867D8FB81A291080E217F45F2A6B534CD18F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:45.436{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:45.436{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5F1079BDC2CBDAF3E7C6B53CD29F70,SHA256=47C36E4D3FF8D965A40EAEFD69AFC1044C3DEB083F6145C77F24E28A6376F18Dfalsetrue 23542300x800000000000000021219347Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:46.720{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D6CA5F1993555415A163883D74889A7,SHA256=41D51CA512076EF3DC6D4DCE7C8A48B08E9066133B12549DDFF4569515455A19,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:46.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:46.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4837AD6CFF68CD0141B650BEA6A59AA0,SHA256=895DD117FA02BE613C0FC08ACB5CF472891D2D807CB880B452BCCB553514A3A2falsetrue 23542300x800000000000000021219348Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:47.725{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=031E7AE23AD034AFF67FB112F82A0A7E,SHA256=50620FD587903F0842BD25A18A2A76E687191EEE53FA4EA238E5C05608F6DC4A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:47.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:47.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A5D8CE598E0853D64AB512615374D7,SHA256=4852463DCCCF2CAC89D47A4717DE500B4E158E09115F0043CCAD9B77CF72C2E4falsetrue 354300x800000000000000057344561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:18.450{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54520-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057344560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:47.099{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:47.099{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92CA6334F3F61C960AF5032589F3FA4D,SHA256=A4CD53615E34AD604DF20D8E0C86BD9D8E330B43DD1E50A92BE0AF29F6272D03falsetrue 23542300x800000000000000021219351Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:48.725{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01677B3066A77B305C072A19F5F05F43,SHA256=2155A0ED1BC9EE8F5F5EDCEB4A6B5B2E7E93B631815ADC57285AEFCE16B93837,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057344569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:48.918{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057344568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:48.914{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057344567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:48.583{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:48.583{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90C3B7F4E35557867C78F73432075D36,SHA256=B08C1B513BD39AB4ECADD2F987B8B44493FD356971992F34516C6CA6DE99CC9Dfalsetrue 11241100x800000000000000057344565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:48.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:48.452{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83EBAB71562CE9A9D8E9BE185D4D4AC1,SHA256=E5996A76863F04FA734A62638C831660D9FD47540964FF92BF6AD764DCB0268Bfalsetrue 23542300x800000000000000021219350Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:48.194{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76DF123CA4D4EEA6448A46FCE1AD8C42,SHA256=E228F1F1A7BEED4D020CE1AD0D4FA50569E4E3B292F1AF72A022467032E0D3C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219349Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:48.194{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA9C711A8F0E42631068669DF62C7682,SHA256=D38721D54B6525E813B70B7464F32D0539E50A21E165A38E2E9105076DDCD1A6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219353Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:49.725{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DAF0290998DABF88A3269A41B385451,SHA256=AA7606C57D5F37C4BE45F2EA837D7B5C8A642D4427BA8D69C6806F6E16D1A3FC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:49.934{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:49.934{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE874621D954AB930AB0DACF576FD93B,SHA256=FDE945A750E6391C63512ED5A27C5608595DAB9A330EB0FCED8FCED570EC0661falsetrue 11241100x800000000000000057344571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:49.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:49.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540588F5EEB00462282C88E0C585A3BF,SHA256=767DF8776889FBA82AC09CAE2B206F622F16F72460D99DB4B5E99BF69FF3F70Ffalsetrue 354300x800000000000000021219352Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:35.514{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64306-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219354Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:50.741{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A61ECBBACF6835C9796EBE01002216,SHA256=65F91165B77CD2EAEE694DB0FD35BE4051E62374F1344C9CDCE5189F6FE8E3DC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.481{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:50.481{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC81706316DD32B72AE8AA6ED4273217,SHA256=6902B9F6EA2B974B16E70B5A86CCC28A5219F339D78E9B65BF74BAD6E8371170falsetrue 354300x800000000000000057344574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:21.266{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54521-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000021219355Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:51.741{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C644CE7627E07AA660619D42BC2DCBCC,SHA256=5925B65B3467BC966E2B1D44DD5605A82ADB807C4910EBE3748CA544B83479A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:51.515{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:51.514{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E88CD7B70645DFB655303E7C1D13955B,SHA256=BBD1F3710FE0D11D299AFBED45F65C0053BA7D39452FEC1A280A303B5435616Efalsetrue 23542300x800000000000000021219356Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:52.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EE0DB450A6F8C4B67196E9A3B1D58D,SHA256=2D760AF69836BDA6F86153FE33DBC1E88E680C2FC1C2E611F731D7A327DFFB75,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:52.533{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:52.533{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=955159FB178BBED1F90E6B29FDBB599B,SHA256=36D19DEE2BA96FE4B93A77627A2B92E8D96FE7411DAA57AFE2307C3937D54E61falsetrue 11241100x800000000000000057344580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:52.249{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:52.249{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4CDB4B6ECD3C162934B409AADBDEB76,SHA256=CDAE5AB3E285E55CE3646F3FF7EC8BA1DB447674E10FB62301274078CC49E32Efalsetrue 23542300x800000000000000021219360Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:53.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2530F2371D69068749271862AF44C2A7,SHA256=04060A70338E183EA629C7A5068FB9CE4F462775AC47601D96D38D780B9764A4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.548{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:53.548{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4B182071774A38C63BD8384FEC195E6,SHA256=44E4976D2DC971CBAC16896A21DAED1D41B7787C7E590185DB580C32AAF015AAfalsetrue 354300x800000000000000021219359Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:40.660{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64307-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219358Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:53.412{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BE85B8C96C25534932D693BF33A643E,SHA256=3E7F91E6B93F6E39F2BCA34CA25ED4CA21AD4359A1AB2A645655E1230367D46B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219357Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:53.412{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76DF123CA4D4EEA6448A46FCE1AD8C42,SHA256=E228F1F1A7BEED4D020CE1AD0D4FA50569E4E3B292F1AF72A022467032E0D3C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.601{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54522-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219361Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:54.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61C5C9669969501C9A0814EB6242305,SHA256=A40ED43025915661E0A2CFB9DE6D27D8137F9BE19BAE7ACD3EB63AD2D89471B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:54.578{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:54.578{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7099B41B6063756D2C2388ECD283BED8,SHA256=D060C109FC7805A1D3121DB072742E7C88C4A89D31BF1F1C729ABDD75F72D137falsetrue 23542300x800000000000000021219362Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:55.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D55A126444B6A47363D9F92D35EB7C3,SHA256=15BBB38860C0BD1279DFB20F0B0A458DCF484DC2A89930169F00EC702D9F416A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:55.597{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:55.597{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27647BBDAF37932BC487B6034902F750,SHA256=90D8D3E07DCE074DFB62933C2A16D0824B807B8A0BEB8B590371150CC21CC9E9falsetrue 23542300x800000000000000021219363Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:56.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451E66EBDFF7C746E785B5CCD19DF105,SHA256=4DFAD6556A39534BB883F70120A6DDFF72951AEACF5A703EBA4A220FBA9B9535,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:56.615{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:56.615{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CB691BD649BA1CFD5FCE4D9CC89CC6,SHA256=E7B2F16D857107D1145133D71600B08494C0818416947B163712A04CD913B698falsetrue 23542300x800000000000000021219364Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:57.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6C8DB4453966ED838B84E656907F33,SHA256=D46FE60442C00256FA644CEEC4300D683751EDCD1A87509FF22D59A21E3D8BC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:57.634{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:57.634{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A0D6457D23DCA221A433F088DCEFCD5,SHA256=5FD0721A672C52A72AE472999176457D57A7828BC470D5C40EFA2A1498919C49falsetrue 11241100x800000000000000057344599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.649{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.649{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8B43ACA7EDBE83E9AF1998011731BE6,SHA256=DBBC40876F9E6EE2F8DEED0A6B334B63E2AEE364FE6DDC7908123A5E31A3C0B2falsetrue 23542300x800000000000000021219365Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:58.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5C7065E3329C4E2B09916A8F45B3642,SHA256=48682661FA9DC4F0BC75FEDA9E435422433F3AD50C9080B7C8D61F1538775C6A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.196{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.196{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02FC92F2FA6C1F067740DCBAAB6E1878,SHA256=98192B5707A3A075A738941316170233F63DC9A35AAA8BC90DF844FAE942F434falsetrue 11241100x800000000000000057344595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.196{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:58.196{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D800598261BF4021EDFA3A69657E9937,SHA256=A15261668CFB2DD85674D8150828E45EFF26C3EAA189635D8BE1B5D4C42A3B28falsetrue 11241100x800000000000000057344614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:59.663{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:15:59.663{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B304CFF313CB2E196B232E047BAE32A,SHA256=6F372768E326F7B20EAD6D8E12F416E6E445EA4EE9E62454BF829EC7C0D19BD2falsetrue 23542300x800000000000000021219368Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23A1FEDF9B498EECAD9905B7DC9D059,SHA256=045DF17672E218AE0BE9D20B2CA373A02BAA6C30CC59866933E6517761144A7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057344612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:29.532{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54523-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 13241300x800000000000000057344611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000057344610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0xa35fc4e3) 12241200x800000000000000057344609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x800000000000000057344608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7b6-0xab9a6ad3) 13241300x800000000000000057344607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7bf-0x0d5ed2d3) 13241300x800000000000000057344606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7c7-0x6f233ad3) 13241300x800000000000000057344605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000057344604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0xa35fc4e3) 12241200x800000000000000057344603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime 13241300x800000000000000057344602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7b6-0xab9a6ad3) 13241300x800000000000000057344601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7bf-0x0d5ed2d3) 13241300x800000000000000057344600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:15:59.463{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7c7-0x6f233ad3) 23542300x800000000000000021219367Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.147{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF18EFA587E5DBA8DF9EA59093484AC,SHA256=83B45C7492FCEFB5A83399899582B6A8C09F729D830E3D85D4AC5FD853673D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219366Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:15:59.147{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2BE85B8C96C25534932D693BF33A643E,SHA256=3E7F91E6B93F6E39F2BCA34CA25ED4CA21AD4359A1AB2A645655E1230367D46B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219370Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:00.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71B0937297ECE4F860B3FFDD3528166,SHA256=CBBF9DA134B1DF2F52D783701F17E1D50A376AF6FABF26435533675428532054,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:00.678{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:00.678{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89EFD10C83F27C6AB9F6D14B27AED79,SHA256=20C9C21C8DC9FEACC095718C3BB425305C76C79E7479664FE3EBE1EFDF49BBE3falsetrue 354300x800000000000000021219369Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:46.551{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64308-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219371Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:01.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=250F48375FB2DB594CC02266EB2D2073,SHA256=B71D1D3932770771B645F4BCEE6BCC35FE341C088D5D0178C1B045DBC44F6794,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:01.693{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:01.693{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13061BDE099CD5407C904149DFE85DFA,SHA256=843B9F1A42CB0EE35DF3ED9DE12EEFB18FFD3EA7726C5AD2E91A3E30B229DED2falsetrue 11241100x800000000000000057344622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:02.714{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:02.713{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E4471BFFA0BA196AB91C79B74C33852,SHA256=42E3ABBA7F48C5E755FD28D74E2800FD009E0F4781654209385B667B41509295falsetrue 23542300x800000000000000021219372Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:02.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8D4A03DADD916CB6088887F6095BDE,SHA256=F1F6A1B59425F90BA65FD2742828B9AA37A877FFA8E8CD5F5A4D3E8329DB6D99,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057344620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:02.545{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057344619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:02.545{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057344628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.729{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.729{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9439BC5E870C0A2EF3B92775C155D0,SHA256=56F31C85A1F08F3AAB4092FD1A8A1599D72ABC694F7DA397CC7526CD3A62D23Dfalsetrue 23542300x800000000000000021219373Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:03.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF420C9C42A3A960689C4A2B4A31ADAC,SHA256=A2D769CD470D966F7F6B942715A9E746D436C68D6671A99B4BFD35BEC15474CF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.591{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.591{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AE78B80EAEF19DD92B91FE863B9543,SHA256=2069F81DA4F8C6FED3AC80F9EAA43B0C70294AE99251C1403AC08D76D216CE69falsetrue 11241100x800000000000000057344624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.591{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:03.591{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02FC92F2FA6C1F067740DCBAAB6E1878,SHA256=98192B5707A3A075A738941316170233F63DC9A35AAA8BC90DF844FAE942F434falsetrue 354300x800000000000000057344632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:35.481{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54525-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057344631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.898{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54524-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057344630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:04.759{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:04.759{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=678BD479F0C02F168F70E202596FDBAA,SHA256=0A017B0631A3EF6E8462424B89DAC1E6E088A8F3FE52CA8211176E3E89987F43falsetrue 23542300x800000000000000021219377Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:04.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC11F7EFE429990BC365358A1717A65,SHA256=29476B9A11E364D88837940AB98139F08D8BBAE82D94DE671E6AB282E0B7AC36,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219376Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:51.660{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64309-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219375Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:04.490{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD48E62B1C45F36AB0F7E942688BBED,SHA256=3D8638A3270750FC642DD9112F6A95C4B9F9573677672B7F2B0FA9934965B2EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219374Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:04.490{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCF18EFA587E5DBA8DF9EA59093484AC,SHA256=83B45C7492FCEFB5A83399899582B6A8C09F729D830E3D85D4AC5FD853673D97,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:05.790{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:05.790{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E9BCBDBC8CDCE8D88B4F3DC02A85D80,SHA256=6E39519662147ED35B64EB53D407E52EE9F32D6E7731F31CE627C18F67936022falsetrue 23542300x800000000000000021219378Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:05.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD95AE71525D26CCF81185743EE17372,SHA256=801BD5C4D05E7E97C79A764780B7523319AF8FA25C8359D195A49469FC43AA3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:06.809{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:06.809{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E79455DF2735DE3210962BAE5002428,SHA256=1D200A6754287F78F636E14E62856E7287294027EFD1E7BC0D269CF76BC17BFFfalsetrue 23542300x800000000000000021219379Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:06.756{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5523DF56F4E1978193808C5E8D8E17B,SHA256=280382B11B574D7AE16926414522451F81D9416E2AFE6F0ABBAECD9972315D1B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057344636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:06.110{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057344635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:06.106{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057344695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.926{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.926{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9C294758D7A0F417269AD10139EBFE,SHA256=C12DE2B1D144486AC7F68F4699A54C355DEE2948F0E20FEE9D88497F0ECFFB18falsetrue 354300x800000000000000057344693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:38.458{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54526-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 734700x800000000000000057344692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057344686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.826{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 23542300x800000000000000021219381Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:07.758{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38692B57F868F7B224C9F05D9A2ABC8,SHA256=C1BCA31AD134D6A6B221764654C69EF0F2B4BA7204D5BEABC0BF8D13B25CDC50,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.811{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057344649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.810{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.810{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.792{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:07.791{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.127{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:07.127{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AE78B80EAEF19DD92B91FE863B9543,SHA256=2069F81DA4F8C6FED3AC80F9EAA43B0C70294AE99251C1403AC08D76D216CE69falsetrue 23542300x800000000000000021219380Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:07.633{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BE91800A85751772BEF8A0E199E08FFA,SHA256=1E36ECF8ADD89A5E2107834D705AA8148782B259B1771FF17936C7A9D83530E4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219398Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B08-618E-03CE-08000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219397Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A679D0ECAE36E3D2BD9666A1BEAF4C2F,SHA256=6A8A5B01CF9DB12077004E7D16D02F809F66516BF5FB69A96B24936E9A98A017,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219396Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219395Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219394Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219393Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219392Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5B08-618E-03CE-08000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219391Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.804{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B08-618E-03CE-08000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219390Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.790{AD5E2759-5B08-618E-03CE-08000000F101}6048C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057344764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.688{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.688{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057344762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.688{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.672{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057344760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.588{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.588{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC6C68BED5EE2E0BA0FB12D1D6C41F9D,SHA256=2C88DAC0A5CEA4E0CA73716BBB1D45E27890B7D9FC435CF236B18FA30A1A0850falsetrue 734700x800000000000000057344758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057344752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.510{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.504{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057344747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.504{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057344726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057344724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057344722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057344716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057344711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.488{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.473{8B6011A9-5B08-618E-39F3-04000000F101}9192C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:08.473{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057344702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.292{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44545MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 11241100x800000000000000057344701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.291{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445452021-11-12 12:16:08.291 11241100x800000000000000057344700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.289{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445462021-11-12 12:16:08.289 534500x800000000000000057344699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.010{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057344698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.010{8B6011A9-5B07-618E-38F3-04000000F101}101649436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.010{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:08.010{8B6011A9-5B07-618E-38F3-04000000F101}10164C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219389Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.304{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B08-618E-02CE-08000000F101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219388Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219387Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219386Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219385Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219384Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5B08-618E-02CE-08000000F101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219383Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.289{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B08-618E-02CE-08000000F101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219382Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:08.274{AD5E2759-5B08-618E-02CE-08000000F101}4476C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x800000000000000057344879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.807{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.806{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.806{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.805{8B6011A9-5B09-618E-3BF3-04000000F101}9232\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.805{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.804{8B6011A9-5B09-618E-3BF3-04000000F101}9232\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.804{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.803{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057344843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.788{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057344836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.772{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.757{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.756{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.709{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.709{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F77D2E69648030FE00F42E889A158F3B,SHA256=8DBE99284B14F01BFCC70A6786090D8AD14FE6B393DC4B0F40AC757EEE795B62falsetrue 23542300x800000000000000057344825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.290{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44546MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 534500x800000000000000057344824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}71769496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.272{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057344819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.110{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.110{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.110{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.109{8B6011A9-5B09-618E-3AF3-04000000F101}7176\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.108{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.108{8B6011A9-5B09-618E-3AF3-04000000F101}7176\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.107{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.107{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.106{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.106{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 23542300x800000000000000021219411Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.867{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B08973065BC801D6D9C08BB322411CCF,SHA256=734CD2646E6B8FEABDBCA4D1259B3F304F46A35C35F193CC16C46489674CC12C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.088{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.066{8B6011A9-5B09-618E-3AF3-04000000F101}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000057344774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.057{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.057{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994B80679F7E99D5423E18ACC6FC4E90,SHA256=01547B762E58B8F57CF3EC2C90D500E14CCDD698E3E13C8A2643A34DB34A1F34falsetrue 18141800x800000000000000057344772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:09.057{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.057{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:09.057{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399EF501B1422BFDB846F93A92FBEE11,SHA256=DE928B0A7998E366C10E5AF708FD7AE73D609F7382DD83B6CB5F833D55976142falsetrue 10341000x800000000000000021219410Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.679{AD5E2759-5B09-618E-04CE-08000000F101}28803248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000021219409Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:09.648{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7bf-0x137e4bbf) 10341000x800000000000000021219408Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B09-618E-04CE-08000000F101}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219407Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219406Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219405Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219404Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219403Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B09-618E-04CE-08000000F101}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219402Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.493{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B09-618E-04CE-08000000F101}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219401Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.477{AD5E2759-5B09-618E-04CE-08000000F101}2880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219400Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.320{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFD48E62B1C45F36AB0F7E942688BBED,SHA256=3D8638A3270750FC642DD9112F6A95C4B9F9573677672B7F2B0FA9934965B2EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219399Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:09.008{AD5E2759-5B08-618E-03CE-08000000F101}60484100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219431Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.883{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DBDBF1DDB736AE57B0F6458BB7697A7,SHA256=1565EC0E89F53C3186F13FC25D5091F77F269AE7D8DF9652ECA01311A19AD08E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057344946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.767{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057344945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.767{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3B16891EFDCE1A2CE3A93CCE2A0CB0D,SHA256=8B2D8CD7358C4404082128DBAA26F790A0E25587F3AF375274058409CB41E4FEfalsetrue 534500x800000000000000057344944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}20766632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.652{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057344939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.489{8B6011A9-5B0A-618E-3CF3-04000000F101}2076\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057344933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.488{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.488{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.487{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.487{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057344918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057344902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057344897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.468{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.453{8B6011A9-5B0A-618E-3CF3-04000000F101}2076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:10.452{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057344888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.268{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5FA233774C0DC1DBD5773114D8E2E5,SHA256=2AC749320C8DA0270FEBA676C494E98EC710572B4DC37C4162DD33735A9925ACfalsetrue 11241100x800000000000000057344886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.237{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.237{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45982E74E0F53345B1206ACD081C1432,SHA256=3524B7233957480E9C02B14C3F9AA20FB57DE22D9823365620C3A724B286840Dfalsetrue 534500x800000000000000057344884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.065{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057344883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.061{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057344882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.060{8B6011A9-5B09-618E-3BF3-04000000F101}92327372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.032{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057344880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:10.030{8B6011A9-5B09-618E-3BF3-04000000F101}9232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x800000000000000021219430Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:57.553{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64310-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000021219429Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B0A-618E-06CE-08000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219428Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219427Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219426Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219425Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219424Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B0A-618E-06CE-08000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219423Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.867{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B0A-618E-06CE-08000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219422Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.852{AD5E2759-5B0A-618E-06CE-08000000F101}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219421Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.508{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89A2B85DA756D5A57493E9298387D6B3,SHA256=38D42D1C51C7AE5A913A3E07F07599C78C50FF1746485E4CCE906817D1AEAAA3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219420Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.367{AD5E2759-5B0A-618E-05CE-08000000F101}50803664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219419Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B0A-618E-05CE-08000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219418Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219417Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219416Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219415Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B0A-618E-05CE-08000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219414Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219413Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.179{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B0A-618E-05CE-08000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219412Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:10.165{AD5E2759-5B0A-618E-05CE-08000000F101}5080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219442Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.883{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2559133CF4CBECE8FD4779B7A8D6E0FA,SHA256=D72BB3174BCAD6A8A3E1364EA4D236B311076068A61BD461953A68F175E44D05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057345059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.855{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057345023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057345016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.839{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.824{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.823{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x800000000000000057345007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:41.477{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54527-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 534500x800000000000000057345006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.392{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.392{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.392{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.392{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057345002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BC45D10B7CA77318BC68AE59E711E1,SHA256=4E0ED728E450C72CA602882AABE69964074458E0793164F32404C6E977633252falsetrue 11241100x800000000000000057345000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.239{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057344999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.239{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F54A2966D82AE76C293FC6B6C94A4CF,SHA256=E79003DA45E3C3786105EFFC88E2F58D86A638D6586864FF863A19B58BD4502Bfalsetrue 23542300x800000000000000021219441Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.851{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE184FF53D2FB6C5043A9DA4789B8AF7,SHA256=F5D1CECBD08889E58F508FEE5DCD91B1338549C157EC39FA3C527EFF93035149,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219440Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B0B-618E-07CE-08000000F101}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219439Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219438Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219437Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219436Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219435Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B0B-618E-07CE-08000000F101}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219434Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.554{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B0B-618E-07CE-08000000F101}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219433Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.540{AD5E2759-5B0B-618E-07CE-08000000F101}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219432Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:11.086{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057344998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.192{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057344997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.191{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057344996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.191{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057344995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.189{8B6011A9-5B0B-618E-3DF3-04000000F101}8648\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.189{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057344993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057344992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057344991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057344990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057344989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057344988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057344987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057344986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057344985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057344984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057344983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057344982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057344981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.170{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057344980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057344979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057344978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057344977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057344976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057344975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057344974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057344973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057344972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057344971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057344970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057344969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057344968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057344967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057344966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057344965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057344964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057344963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057344962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057344961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057344960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057344959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057344958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057344957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057344956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057344955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057344954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.154{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057344953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:11.139{8B6011A9-5B0B-618E-3DF3-04000000F101}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057344952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057344948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057344947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:16:11.139{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 354300x800000000000000021219453Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:59.506{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64311-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000021219452Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.883{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64AF35EE175966382CB949995FE2A773,SHA256=2026C34EE207281241443A59F7997A14D52949951CBA839598E2DFC76774CF1C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.423{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.423{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC99B7D2F5F8DEF7350BDE6B5E00B70B,SHA256=9018A7C522950B7359D05CC5641585FA14985147488CDAEA9CB5FB09621C3DF6falsetrue 10341000x800000000000000021219451Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.242{AD5E2759-5B0C-618E-08CE-08000000F101}3132852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219450Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B0C-618E-08CE-08000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219449Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219448Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219447Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219446Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219445Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5B0C-618E-08CE-08000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219444Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.070{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B0C-618E-08CE-08000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219443Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:12.056{AD5E2759-5B0C-618E-08CE-08000000F101}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x800000000000000057345065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.154{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.154{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7BA17585B204780B29FA2E9C1A26CC3,SHA256=5B85F281A03CDB2FC7708E62BEBC3C9EA820E43CD80429A8BBB62F60AFB6D883falsetrue 534500x800000000000000057345063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.107{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.107{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.107{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:12.107{8B6011A9-5B0B-618E-3EF3-04000000F101}6660C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 23542300x800000000000000021219455Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:13.883{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9396684DC07891534E02109EFF28BD7,SHA256=52029D1FA272B32AE4B10D72A5D47E01D95A0B6D02C13428EBDF7CB3320454B4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:13.437{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:13.437{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D7F44CB70D462B24B241EE4F15E9AD8,SHA256=4B6B470AF2F98DCA9955AA2AB5067CD62D65846D88CA5DD935234803FBC1C7C4falsetrue 23542300x800000000000000021219454Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:13.211{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFE36EA74DCE5CAF5C444FAF72FF3F06,SHA256=BBE851153E28AC6A87223B4C9C5B38F8A5B088DCF4DF6F151DC0DC98C68A8B84,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219456Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:14.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B34DA958035FE2E5E7BDCBE0049283C,SHA256=059F0572491438712810008D808834533E1D82B6A0F8F9E44E27CD97CD2762B5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:14.569{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-10-11 18:55:38.088 23542300x800000000000000057345072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:14.569{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=BC5BBD52C2CC506AC2F5B9AD057EEBB3,SHA256=96126604D156AC6F649C8F872237FA70EBBBE0D9611B42CEF7EB4FEC36CD9B83falsetrue 11241100x800000000000000057345071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:14.453{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:14.453{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AC6BD3126C2CA6C4743EE466F550265,SHA256=3186B7BCE954450C2FE61CF160838F454575B2E91419FE2E6D6415BDB960B96Ffalsetrue 23542300x800000000000000021219457Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:15.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C035634D526E67E58CCDD0A62846DE5B,SHA256=98184DC914D4946AC50F434C728F59A845E6395E51E5A619DCB35EDC90781E3D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:46.540{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54528-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:15.468{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:15.468{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DF25CFEEC1E7579B115351F4D52C27,SHA256=A980161DE78B6E9274C17C53C79087C105CE8D9988C869872F644C5CCADE5FC2falsetrue 11241100x800000000000000057345075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:15.205{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:15.205{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B70E48D634194C116B803B3AB7038452,SHA256=86BA21F57E54992782B4F4F91E0D17AD3C43685897F0B8D30D52C729C16A4869falsetrue 23542300x800000000000000021219459Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:16.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADDACD8CCCDBDF26E23BDD7C093BFDC5,SHA256=7F6826B012E321F3C8EE86F39E79E9900DB466F35B4CCC2C3B51B29BAF313021,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:16.468{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:16.468{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=975E9AD53ED157D44A5FC7CE41ED51D7,SHA256=DEF036A2100271D2A4A612D44DE28D9D086F9E4FA15EC21C1A8453A8FF17D8E4falsetrue 23542300x800000000000000021219458Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:16.165{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6802618DACC86F9825A601AEB3C46C46,SHA256=ECC016760F5D0DBE03BCDDECEBFB522DFCABD28CB52F8A97C4C2B40B53ECA930,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219461Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:17.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDD993D849F68C957169362DC9B7A9A,SHA256=25BE363EB2718B212080CF21B2A8D3BB3F19DD09BECC566BEE9F573867265BC0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:17.486{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:17.485{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FBB1E3906A2192ECCD620FAF06210C,SHA256=4B4FE29B7FF1C79564F33E98598C3366292A2175EDA91F2305CCA3E10F51C086falsetrue 354300x800000000000000021219460Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:03.569{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64312-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219463Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:18.930{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7E53DC118D7D9057313AAB88A4A815C,SHA256=4087468905EFFA36E101D32EEB744AC90343DE4CF86D53FF5869C68C1E6D428F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:18.504{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:18.504{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D74902612C94C8FDAB57A454B8F9824,SHA256=1ED10DA6713718E5EC55B0BA9FC074AFE71D34E1F4ABA20F33195AF64AF20F3Cfalsetrue 23542300x800000000000000021219462Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:18.823{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79907MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:18.383{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057345083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:18.383{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 23542300x800000000000000021219465Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:19.961{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91EC72ECB88FFC259960CB85B31ACF45,SHA256=CE2E40A887C57B18124A64C0C8EC47FCDBC5F10E70FA97334105F23AF1E947B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:19.520{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:19.520{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E6AA0F8392ADDA874C465D3A3F156A,SHA256=9A059B6567829083235864409134C845F4359558C166729088A0FCB2FA5E4D4Ffalsetrue 23542300x800000000000000021219464Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:19.822{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79908MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:19.405{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:19.405{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C833AE0FF2405F7577C750717C99323C,SHA256=8049DB7DD8CF6DC4E983541E9BAC0B4FAE707C1E30BA506D999778CDE544E8A8falsetrue 23542300x800000000000000021219476Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:20.980{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43DC90E9DB803CDF36B7DF8B37019517,SHA256=F5ED290F41DDE80D1A4881BE0FB576ED6834F6B98FA9D9EDE00ABA271C14F86A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:20.550{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:20.550{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D02D450E5432383C82C30D0EB57F456,SHA256=EBD7BD3E86478D2C25D7A738AAC9C1A28897EF8BA19CE75DAB73A2F565DD16EEfalsetrue 13241300x800000000000000021219475Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000021219474Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000001-0x2513acf6) 13241300x800000000000000021219473Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7b6-0xb82f5fc5) 13241300x800000000000000021219472Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7bf-0x19f3c7c5) 13241300x800000000000000021219471Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7c7-0x7bb82fc5) 13241300x800000000000000021219470Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x800000000000000021219469Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000001-0x2513acf6) 13241300x800000000000000021219468Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7d7b6-0xb82f5fc5) 13241300x800000000000000021219467Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7d7bf-0x19f3c7c5) 13241300x800000000000000021219466Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:16:20.605{AD5E2759-5432-6143-0B00-00000000F101}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7d7c7-0x7bb82fc5) 354300x800000000000000057345092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:50.735{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54529-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057345091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:50.735{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54529-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 23542300x800000000000000021219477Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:21.980{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E804EBF1DEFAF8DE03B5E8835CAAA2D,SHA256=8CDCAA64EACCA150F16BC903208A173DF24EC46D599BB6469CC3619FE4D9E595,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:21.565{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:21.565{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D8B67F91D7CE6ACA5F6CBA12B491A43,SHA256=CB21A574493729A30EE19734E63366CD6EC5277B64BD94D59A8F0F331F685E4Efalsetrue 354300x800000000000000057345095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.588{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54530-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219480Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:22.980{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E2B81AC30FD0C3B69E163959BEA366F,SHA256=3E1A9511C363741D760067A32C116DA9D973B7BBFC97476F6F4D13C7253B2181,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:22.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:22.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C652509177B72E80E36C29A2850FEE7,SHA256=F440D4A983D86E694B4AAF37BA7DFDAA2D11F8507D6D0D5819F35D28AD97FEB2falsetrue 23542300x800000000000000021219479Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:22.089{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E65EF6172FCEC0FD369722BFA90160EB,SHA256=A1BA33680E06033A4D8BC4241CDE452A679F2374CA5304E9A7EA97C3A254302C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219478Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:22.089{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6410F367B01C8D98D64CCD009F64D3C5,SHA256=F7E0CC5C59002FA8A696B4620548D82A87E78584FDE369EC099AE49E97AE166F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.617{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.617{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=030DA504C0BED6203D47B67C41D1AEF1,SHA256=2E9A219072EACD7E36487FCF5484687CB108895F4901D01A68D891343AED4D5Ffalsetrue 11241100x800000000000000057345101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.601{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:23.601{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1D26AEF75FA64597E6FC9FCA4CD0C3,SHA256=4A2712A173CE93B83DF7961626C85726ACEA6F0EBB845ADE2F0D8AD760E1E9E9falsetrue 354300x800000000000000021219481Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.463{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64313-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:24.616{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:24.616{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2472382EB26F4E288059D7891EE9E95D,SHA256=7B1D5CC10BF48B0FA01E2BAD88831B4B43A45E1069A0C755F30ECDBEC5B24D06falsetrue 23542300x800000000000000021219482Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:24.058{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC90B56DB5A8250673B2B9F9F4D3075D,SHA256=E359074227506A6F2DF487274933E24886DA1A53EB8DD38D731DC74286F9E921,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:25.631{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:25.631{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1B542CEB8710A34527EADBBABC27E9B,SHA256=9416D506BBD1BD133A712FC67AC0BBF9D803492AD8A59F409C4027C59425752Bfalsetrue 23542300x800000000000000021219483Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:25.073{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DD318A951817184C8F6A93997D334DE,SHA256=E810D96C05D54B14EA449E0FFE5595170CFCAE18BF48B318F506D513B636ABB3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:26.646{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:26.646{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57504EF4E72DE5CDED2D8EE2BCD03775,SHA256=B14FEF3D5B6FE2B8A4EBE37494A037F85B952E5A1D822C89ECBED96226F7A35Afalsetrue 23542300x800000000000000021219484Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:26.073{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE6AB80040099F03D360C72D8B3A5D78,SHA256=A903D70E3DB4FB749C6DA1F466D2467A7CEF24FEFCDF845AF04C6892141CEA90,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:26.199{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:26.199{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EAA2B1E3288CCD1720278B7CC339487,SHA256=DB8D110024912B4D66ECA88EF3E72A0FF2C3307412D4AE40BCCCF0AE57508C97falsetrue 11241100x800000000000000057345114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:27.661{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:27.661{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7275A4CCE4566918556E9B8138D3C7B4,SHA256=088826D00E1FA23120A263113477CCBEDCAB8B123E69B4463CA20BED136B74F6falsetrue 354300x800000000000000021219488Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:14.509{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64314-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219487Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:27.105{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60C8914A698038717DA8F2423BB10E99,SHA256=C15FC0D36B47994A0A2221D5975F095EC11AC583D38D1F4077EC7B8F93F920A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219486Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:27.105{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E65EF6172FCEC0FD369722BFA90160EB,SHA256=A1BA33680E06033A4D8BC4241CDE452A679F2374CA5304E9A7EA97C3A254302C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219485Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:27.073{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C04BAE9F4EBDDEF448DA26F9F233B95F,SHA256=DBF283F4FE0C4AFA208674829982E75D6A9DF6A17655CB74E6EDCD7AEC5FE480,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:57.530{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54531-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:28.681{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:28.681{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128E56998422D629983C83E23E9DF7C7,SHA256=D6283967CEA8B44CF664327B9DD1AE513EFC8A05ABC75CE3C28A75EF94BB5BA9falsetrue 23542300x800000000000000021219489Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:28.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F0099E20DD59783784DB063E0B5423,SHA256=C68DED39CD134C79FBEA2963AD8804A270029AC2E5169FD9BD67141D93C14224,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:28.582{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:28.582{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA8816A4D24AAC7F04CE0CB6FBBED58A,SHA256=BD77FF8F1DB19A308183A3B65FA08D5A198C9A4C611FA0FE6457D8444D7E02C5falsetrue 11241100x800000000000000057345120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:29.698{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:29.698{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1F6535BC72946FF58489849AC3BC976,SHA256=AE565D3FA89B5555A8BF514B393008AE70B8A7B9151A3BAAA34B10D0E5325F2Bfalsetrue 23542300x800000000000000021219490Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:29.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=598C865CDC27351D23DB5742F7D9B1FA,SHA256=0908563C22439FACC5CCF8D997CCCD9BEE8857E142B30F852223FD805266CEE1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:30.728{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:30.728{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7320B6595C0194D7C4A1A76330C6F7F2,SHA256=947D53371066E5571C0E93067E8493AE9F9D0AA1346DDC110C7FD4050F48A4A0falsetrue 23542300x800000000000000021219491Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:30.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DF53D4ACA0CC3EEDA3244BAAD5E474,SHA256=922F7E16FE1C6D05F88A07A654480983D8E05A9D99ED6C84598AB07BB41975BE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:31.778{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:31.778{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867176CE468FB6CD7A770D6576E423EF,SHA256=6646B81A0CE9F58A78A768399F2FECAB1F23F08756C7D1727FDC2D3C07393E39falsetrue 23542300x800000000000000021219492Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:31.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19DA16A5CECE325B58ED6BC41A1B45C7,SHA256=73AFE7C411BE1DB6DD1E34FA61181384B477C42E5FEC213417DBDE10756D4300,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:32.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:32.796{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90027065016B2D4454AC5810B0743233,SHA256=DE974F02EDDEB74AA22D44795FDDFDAEE13ADE8024D62EE9B565EFAA3CA5E250falsetrue 23542300x800000000000000021219495Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:32.263{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E4B36F7032F9E7E37FBEAEBDFE6AEC5,SHA256=50319FE1293AE6B16E03F0137D67E357FE07D27EBEF88E6403D0B91D629285AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219494Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:32.263{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60C8914A698038717DA8F2423BB10E99,SHA256=C15FC0D36B47994A0A2221D5975F095EC11AC583D38D1F4077EC7B8F93F920A3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219493Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:32.091{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A485E0FBFEC22A2FCA2ED2113EB77F6,SHA256=1FE9DECBD206C09FCEEBEE126FE6E70F7F8F9BE488191DEB7B4816848B4041ED,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:32.227{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:32.227{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F124A00EAD0051EB3743433D2EE9EA15,SHA256=327DD68010E68211A22EA81568B751555763E23715B2D56A92851B0725442D8Dfalsetrue 11241100x800000000000000057345131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:33.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:33.811{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D85349FD5107FECAEBB61F0FDD9F492,SHA256=20E6BB4BB2E0601783F52A2E8FD88361DC02B7B6E338D3B3A425ADB95BB8EAAEfalsetrue 23542300x800000000000000021219497Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:33.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C37D76245DCE058C1B163EF8EC196B3,SHA256=ED8EAA992E601838B15545C3D307B2C109BDBA25310C5ACD81A43CAF2B337583,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.564{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54532-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219496Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:19.667{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64315-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.826{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.826{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8150F9E36086080DFA5FFCE728083BDD,SHA256=E6686C09D4CFCBB890D0D277DC2A9E8A2B60B9D06B74132368CEA00A87CB6AD0falsetrue 23542300x800000000000000021219498Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:34.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB3C80294A52C26B946B7497EE7D338,SHA256=72FA2ABCC503042930E03963CD6E480ACFBCEBCFD3C3491B577C5F624D0E6511,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057345135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.179{8B6011A9-E4CD-6172-AAB2-01000000F101}9240ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\9240.xml~RFa3604c82.TMPMD5=456D225B4D65C9CF435A86E0A35A2EE3,SHA256=98A44CE309D109FBE724C41274306C85F0B69B2A3FB9CA4D460D015BE0E930C7falsetrue 11241100x800000000000000057345134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.177{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\9240.xml~RFa3604c82.TMP2021-11-12 12:16:34.177 254200x800000000000000057345133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.177{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4vcty0ms.tmp2021-10-22 16:22:32.4192021-11-12 12:16:34.174 11241100x800000000000000057345132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:34.174{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\4vcty0ms.tmp2021-11-12 12:16:34.174 11241100x800000000000000057345139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:35.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:35.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AB2330467B393BCB1A39589D8EB219,SHA256=20A77742D6DA9548A0EBFE39463033C32BE007354AD569B83068B27953A168FEfalsetrue 23542300x800000000000000021219499Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:35.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB686A82FB9CCF03327AE8B8DE19581C,SHA256=AFBF7CFDBD0D140AD987BBD66CF29D1FA0B29385F7D58AC8C00C8438FDA17562,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:36.877{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:36.877{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD4BA800606D4439CAE984801DD8A2AB,SHA256=CA844E13E5362FD725260A0705DE389206255C0022CB8D9463174FABAB8F8919falsetrue 23542300x800000000000000021219500Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:36.185{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D7D05194424783291A1D9F170311947,SHA256=8CABB8842DFB6998F420160839EA112BD651240FDF38EBEB2203BCC19C05FD68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:36.377{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057345140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:36.377{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 11241100x800000000000000057345149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.892{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.892{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=578CE069CE48DEBB432D5EF713FA4A5B,SHA256=13B70F2EED0F92F051F741F53FA54ABF5EBACA940B2B5E175294B26DDE80377Ffalsetrue 23542300x800000000000000021219501Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:37.216{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=575C75558DB7A96412633EB046214FBA,SHA256=6E570E7AB1C67069D44FD3FBB0E50B6F5B3C8AC1EB922E23E676D704AF029DB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.376{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.376{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=658EE96801BDAF5EFD668D5EB2F5B067,SHA256=143BCF74A0E2FC5461179222A96FB178AF5EC1B28BA4FA0C4A813E304283D9CDfalsetrue 11241100x800000000000000057345145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.375{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:37.374{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EA9E7A2DDF287305EF017674E828D4A,SHA256=5D4C2155E31A7CF5F6BA16D6409A778EBD45D792021B3CE973023926D51A7D17falsetrue 11241100x800000000000000057345152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:38.922{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:38.922{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280081B0F18C188EEC7C04AC1641391A,SHA256=DAE63C9DD3F6D45A62BFC6A44776F60E9DEF96C4B026031B4802BD890A130FA0falsetrue 23542300x800000000000000021219504Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:38.247{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79AE8DC7BF3D4CAE72D8BA45807FE794,SHA256=3A04162D2C6351AAB94F5A6AE6BB0AC746047D01DD8E0F09A76795451A6E448C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.708{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54533-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000021219503Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:38.091{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15638288AD46F473F0EE212FBEBCAE12,SHA256=76C4E76904721C4A60C1B2A8CFC68B16A3D429CF24454B90416A92D6DE9F8CB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219502Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:38.091{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E4B36F7032F9E7E37FBEAEBDFE6AEC5,SHA256=50319FE1293AE6B16E03F0137D67E357FE07D27EBEF88E6403D0B91D629285AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:39.952{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:39.952{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FD47FA891B2109E59955EFA5ED95C4B,SHA256=38E2FD7C0B80224E2D7D7E536421D66F35BA3F4655CAB70C921913D3459889EAfalsetrue 23542300x800000000000000021219506Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:39.263{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25306039383F5FF046D050D0A2C22F84,SHA256=2EAD0C8BD6E135D5110F4A4A93A33405211B58BCC7190118BD56AF9A5B1154EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.407{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54534-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219505Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:25.496{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64316-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:40.988{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:40.988{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CFDF18CC4A91C5B5A6A8FD77080E4D,SHA256=94665268EAF5529A6D251A4D7A1149D04712BEEC116A1C390DFBDFCC58374150falsetrue 23542300x800000000000000021219507Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:40.278{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E520BC82F7C16A6F74721C3FCBF9CD1,SHA256=DD6962D707F764761E8A3196072F7EF1D8006B2C3B6EA9DFF1366C75268C47B1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:41.989{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:41.989{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157AFE84D9AF8DD50AF1B5CA3CB5127B,SHA256=75D8040250D1FEB48FB3C2BC235A54D14B9077F8C6CB8DEDA2FBF35F0BDE85FCfalsetrue 23542300x800000000000000021219508Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:41.294{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CB39DA27FFC16A74E2EF939EACC2DE,SHA256=8F8976BCB44FE6846EE899C030725E6BBE7037CD2919B0FE5233234A39A4028D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219509Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:42.294{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC415DE25DABE140F3E4F397CB1F7415,SHA256=33128FADF933690B9CA3A587C9203B0C566C28735B48927EC84F970E06D43339,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219512Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:43.294{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3B14A128F8C70C48F5FC1BC4239290E,SHA256=28757E58A295A7540D6CBFABEF5A7A9E0C21A4CA2E2D636908931C889C7141D0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.541{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54535-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=417BAA6C3AB57AA19F3E33ED5B6EA31F,SHA256=FAB5C332E1F7F99D8CED738FC1AABF72AEEAD905D11FA2236A64BE5EBDC57A5Cfalsetrue 11241100x800000000000000057345163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=658EE96801BDAF5EFD668D5EB2F5B067,SHA256=143BCF74A0E2FC5461179222A96FB178AF5EC1B28BA4FA0C4A813E304283D9CDfalsetrue 11241100x800000000000000057345161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.004{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:43.004{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE1BB3DB4416AA5E453498466005AFD1,SHA256=E3C6BE81ED2AA30C536943D80093200AB6A16CD0F1D261C72E1BEF7A4EDF8AA6falsetrue 23542300x800000000000000021219511Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:43.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5F0A262362BE6B3533B2B04062B631B,SHA256=8482660931A8D1C5B4392B849EE275F0D950E095CDC1D823F64CE81274B35F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219510Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:43.122{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15638288AD46F473F0EE212FBEBCAE12,SHA256=76C4E76904721C4A60C1B2A8CFC68B16A3D429CF24454B90416A92D6DE9F8CB0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219514Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:44.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=162FBFDD0B700C490B144514CB0DA1B9,SHA256=C3332212551371C9629CF73D6EC9B9F0B09F1FF565C6EC172A00A3B274ACEF21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:44.006{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:44.006{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D97903B87420345BB947BE6159C34A31,SHA256=2F67AE8F6C968B4C997D323C5B479C24387E462EAAC452CE607AEEC3D0DE48EDfalsetrue 354300x800000000000000021219513Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:30.543{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64317-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219515Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:45.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F8E3DF29C5DDCC9E54504152F41763,SHA256=500889938D011ACE22BEE248C56BBD99E2F901425055332130EA3FC998441FF2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:45.022{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:45.022{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25433AF755B282EF7AA082EC1C2D1A51,SHA256=435A550E0639D47AE7867E54435B07EB98907F0781890F10403C054050334A34falsetrue 23542300x800000000000000021219516Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:46.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5493A83B90BC4DCC909ADA96342F71,SHA256=919593E23DC29AB061C0946771566FB7AD557FB18B7F61097507C1482C3A8E7B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:46.037{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:46.037{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3BCFEBA6E9838E7B76F9F5F7891101,SHA256=84FED10C8D291AAB280E50875580837BBAD2B33D446A87E41B29AF62A40E9D83falsetrue 10341000x800000000000000021219539Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B8-6168-3F61-04000000F101}4464C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219538Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B8-6168-3F61-04000000F101}4464C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219537Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B8-6168-3F61-04000000F101}4464C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219536Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219535Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219534Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219533Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219532Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219531Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219530Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219529Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219528Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219527Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219526Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219525Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219524Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219523Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B3-6168-3061-04000000F101}1032C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219522Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219521Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219520Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219519Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219518Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.695{AD5E2759-5433-6143-0D00-00000000F101}792812C:\Windows\system32\svchost.exe{AD5E2759-A1B7-6168-3E61-04000000F101}4336C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219517Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:47.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EACAEE6DD216AFA4A1F13277D1AB8B9,SHA256=9F1ECBF8CA74715B3576FE9C82A8C19B3099A7FAFC92CD226A9818CD7702F3C4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:47.052{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:47.052{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53BB00277F6CA560502D748AED80C3C6,SHA256=A5477E1AB1F3B71B0F91891029BE0B49FAE437E0242C28C22F62CBB03386BF05falsetrue 12241200x800000000000000057345183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:48.935{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:48.920{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 354300x800000000000000057345181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.604{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54536-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.272{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.271{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90489B225E8797FAAA3BBB0C70B4C3ED,SHA256=2EE39C9263E887A70414EC0932A53A0F72A2AF5E97719F6FBC5236E1A66D2121falsetrue 11241100x800000000000000057345178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=417BAA6C3AB57AA19F3E33ED5B6EA31F,SHA256=FAB5C332E1F7F99D8CED738FC1AABF72AEEAD905D11FA2236A64BE5EBDC57A5Cfalsetrue 11241100x800000000000000057345176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.070{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:48.069{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0733DD0B58928794E28D3B56D4EC9FC1,SHA256=9C62F1F1C4E4C1731200DB496AE700CEB3A5F51E83C2EF0AB39B0ED0AB2D22F8falsetrue 23542300x800000000000000021219540Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:48.336{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBABA1F70561D05AB45701203289D2D,SHA256=692C2192BA46EFC1BAB7D80FF384515F09F26A409F29DC6299E4385DCFFFB30F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219543Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:49.336{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4830728955586789F5CBBE0439C7C6AB,SHA256=F917AD0DD259AC4596750D97179648107B8B09869A84F8BBDE0EFE8B9EF5BE0C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.935{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.935{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=90489B225E8797FAAA3BBB0C70B4C3ED,SHA256=2EE39C9263E887A70414EC0932A53A0F72A2AF5E97719F6FBC5236E1A66D2121falsetrue 10341000x800000000000000057345217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2A00-00000000F101}2884C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2C-618D-C2DA-04000000F101}6044C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8898-6164-8200-00000000F101}4920C:\Windows\System32\sihost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.135{8B6011A9-886D-6164-0D00-00000000F101}904924C:\Windows\system32\svchost.exe{8B6011A9-8B2D-618D-C4DA-04000000F101}8884C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.088{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:49.088{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8CEB6BE9D391F45C1567076391CE39A,SHA256=2B1E17AA996FC3ECFC776103AF23B99ADE02E28C4D0DE9B1D7F52D13A4FA7E78falsetrue 23542300x800000000000000021219542Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:49.070{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93911DEBC1E1F02DA891BD8774199785,SHA256=E57CED94E722B1DCE871D603AC79202252894D56BE28DB5108C198A63B57D1A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219541Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:49.070{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5F0A262362BE6B3533B2B04062B631B,SHA256=8482660931A8D1C5B4392B849EE275F0D950E095CDC1D823F64CE81274B35F72,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219545Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:50.352{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=134CE19F81DBFDA8201888E87718DCD3,SHA256=3C1A16668A1A9ABFECD2AA5FE7B2C67414E46B059EEECEDFEE8DE57DF18CEA64,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219544Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:36.491{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64318-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057345222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:21.272{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local56403- 11241100x800000000000000057345221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:50.135{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:50.135{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ED301AE47E4701B0ECF3C51B7B3393E,SHA256=210EBB9B9C10647816CD98A21277BFD8FCE40073E8B35DD465F3D928859B66CBfalsetrue 23542300x800000000000000021219546Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:51.492{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5400CA53CA9CB0634785B22D72E650EC,SHA256=50A3DDCA69F392E6D32C0DE69EC59D58AF81CA9864EBF6514BFD3A9D89025564,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:21.283{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54537-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000057345227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.266{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.266{8B6011A9-886D-6164-0D00-00000000F101}9048492C:\Windows\system32\svchost.exe{8B6011A9-22EA-6170-2B5F-01000000F101}5544C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.150{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:51.150{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2455755FDEFF83E917D762F4DB929CF0,SHA256=D4EF8B05169EE146653D91B6951D9DFD12AB0A375CA722B42B0BA64A300F2195falsetrue 12241200x800000000000000057345223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:16:51.019{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exeHKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad 23542300x800000000000000021219547Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:52.508{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DC61C6AE89AE2EEFF6928C999277C6,SHA256=B029C8DE48E421645192672EF2C41C37A108B416CB0C3904584455340E19FAE4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:52.170{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:52.169{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AED760311B63D7F53C753209E622503C,SHA256=0D20F5C613BAF7244CD34A98FBDA783A872B71070C284A47FFC86FE204571B0Bfalsetrue 11241100x800000000000000057345230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:52.034{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:52.034{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A1311962790414AA80EE2AF06E9F3C3,SHA256=F6673897E3C5C958C82E21D6B324A6F4350167596E8D6B99A00CCCE90A57B916falsetrue 23542300x800000000000000021219548Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:53.524{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D617A377B62CC5ED66F0E18F1B581B98,SHA256=661E416AE84C62483834AC7F9A8A7696AFB41D4EAC13F28CA067E8BA6CE010EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.374{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local50051- 354300x800000000000000057345235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.373{8B6011A9-887D-6164-2D00-00000000F101}3020C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local51843- 11241100x800000000000000057345234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:53.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:53.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECE8E88A42DD9B14AF845E4151CFC9B,SHA256=B9B75C57F3FE0EB26B0BD753FD7A67E7423F4BA824ED63C675C97FE56105AEE7falsetrue 23542300x800000000000000021219552Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:54.524{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF183BF8FE050EE98236E40849A6DE8,SHA256=F6A0BD349AF6DA79FB9A3B00CBD91A1854E30DB52D0D3CC4A9B703E68C4BB742,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:25.556{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54538-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:54.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:54.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677B6A5BF6A89ACE86C8878D9153A72D,SHA256=4B3BE54B9EA3FDBE391820723EF0D8F25B5195CB2CDA9DC27A81AA9714CD38FCfalsetrue 23542300x800000000000000021219551Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:54.414{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891697F2599D083D47FB06C5765E8587,SHA256=B9EAEE6A2A7D3E15D8338DAB4852B8A13B84A596A289DA0D74BA8AA670B4F48D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219550Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:54.414{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93911DEBC1E1F02DA891BD8774199785,SHA256=E57CED94E722B1DCE871D603AC79202252894D56BE28DB5108C198A63B57D1A9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219549Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:41.616{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64319-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:54.070{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:54.070{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=116E72EDD8F18F8B54EC89D317C1EE26,SHA256=F7438A8CBC6A1F1CCDB466850BE6736D97BEFE9FDCDB654DD8532E4720365D3Efalsetrue 23542300x800000000000000021219553Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:55.524{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=058E5E1811576CF91E5E0D561CCC54E3,SHA256=173C1601ABEC2C58EC1E5B9FC6DD35CC15E07E951C44E6998E7A5059A97922B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:55.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:55.219{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8FD707C0634746BC5105E33DB409B0,SHA256=120E3D4F79F9DDC4AFC941EC201FA8FDD662A4DDD48F320A22F8985FA90D0709falsetrue 23542300x800000000000000021219554Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:56.539{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3346D3670C103BC550E677AFF9F96F8E,SHA256=294E487504997E6C05DD1A7AE46CF460E1863509AF890B61FD601061683C8A53,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:56.233{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:56.233{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3826F9E9ACA7BC3AF63BF6D5255516C1,SHA256=19C0443905980D6D359574735024D4B5FAF90A0F4677BF5FDC40B2FFEACC29A7falsetrue 23542300x800000000000000021219555Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:57.571{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3EEC5B25889E46313C28A729847C318,SHA256=BBF31E2CF823DA3FAD84547264A1B1E92E1EB9AE069B466A7332B7BE44F4E8D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:57.248{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:57.248{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5619504E2F047B192711A3F8BE8FEBDA,SHA256=64227124DFCF64A372D4B50B89FAF1E29E9A1FC1625C2563054C7C25C7EBC3C1falsetrue 23542300x800000000000000021219556Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:58.586{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609D5408FA67ED6E6E0BAF05B85DF7AD,SHA256=7F7CF59D13E2DE0C3730C51963A4305D4DB555BD8B93EE0143FC579223F7B825,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:58.300{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:58.300{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C241E5CC7857B9D0A1D675DF8110C48,SHA256=591805D130F4CC7F57E557A836AC78C9CF4D9BCC2FD24A5A9B0BD7B0BD713721falsetrue 23542300x800000000000000021219559Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:59.649{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9D8990A38DD26EDA6B35ABA0926FA07,SHA256=C2870278DD2DA5838C1CFBAA7E11641D52FAB7DF40AFF1CF9813DDF2142F7D65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.599{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54539-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.314{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.314{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BE207B96554733BCB9A2110B4B1423,SHA256=CAEF08122CB3BA5EE220623E3110D7215EFE6C1F918409783078BFF6373DDDFDfalsetrue 23542300x800000000000000021219558Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:59.477{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FBC6B3DC780E6A0E71CF9E4017D175F,SHA256=033123DB806FBE14E5FFAF18015CD3238CF015159EE45A0BB478ABE9BDBCA0E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219557Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:16:59.477{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=891697F2599D083D47FB06C5765E8587,SHA256=B9EAEE6A2A7D3E15D8338DAB4852B8A13B84A596A289DA0D74BA8AA670B4F48D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.267{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.267{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA2670C9F3CF9A892A8F363AA484F0ED,SHA256=78B8F9DC3DD9784383414CA6E45D96A97275203E4BDF8FAF6139244EE135DB3Cfalsetrue 11241100x800000000000000057345251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.266{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:16:59.266{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5E3B9BAEFE1E7F17371681D71A7DE29,SHA256=BB3471A065CE4F20C56A63304249A4A25EE8AF31B6F302BE863F4CF9C4513E1Ffalsetrue 23542300x800000000000000021219561Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:00.649{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30B371C5E06CBAD399AEE9619873F8D6,SHA256=E964112BB80964B040577A5D0E1EBE50FF4DB6405611FC54B4DAEAE19F78FD05,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:00.324{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:00.324{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23EFB2C9BB05C609290C90EB4140F73D,SHA256=904E06F5EE73CEE8EB8CA0A5E6080BFA5F9A9D74DEA29059A987329C2645CD7Efalsetrue 354300x800000000000000021219560Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:46.663{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64320-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219562Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:01.680{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73CFA1C40C2A7B28A9164D68DBA18E1,SHA256=85E3E0780E12BEDF8D25C79A0DF3AB57B1FC32144D03E43F49DF1FEC8BC2C329,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:01.329{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:01.329{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD4FA6E958F4DE2C956D5E3266598C0,SHA256=3EB997487A581B82BC82C94F6BBDCFD171D3D972109A3C9324D81157D9430078falsetrue 12241200x800000000000000057345264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:02.573{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:02.568{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057345262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:02.344{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:02.344{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6659871AA67822469FBEC730DB30842,SHA256=8427F5BB2956DA57B38DE95D60C0C0293B12929594678073ECBAEC99B6C7E201falsetrue 23542300x800000000000000021219563Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:02.680{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D46022C9CCF9B0EB585EA774D7B14A0,SHA256=35C0527BD1984FB04CD6F036F51FCC404950CEB5158FA3C256C15919AE201323,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219564Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:03.680{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D75ADDCAB9D17402A8370D61826DB5,SHA256=7A3B42050769E7302F175A8A85F770D68BB9612ABFC72F5A87E6287ED82D13DF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:34.921{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54540-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057345268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.573{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.572{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA2670C9F3CF9A892A8F363AA484F0ED,SHA256=78B8F9DC3DD9784383414CA6E45D96A97275203E4BDF8FAF6139244EE135DB3Cfalsetrue 11241100x800000000000000057345266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.353{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:03.353{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CAC8DC248952D72F744474D1E2AD79,SHA256=9B94C9DAEA711F37E9AD77F5F40239FFAA392EEC84A2B3CF8396FD6289EA7E7Dfalsetrue 23542300x800000000000000021219565Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:04.680{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4326054BF18C29E7E9499583E9E4FFB,SHA256=E6F98B3AF3608D7F32A6EBD6B15BDCF39BB207862F9475757E5C7E9B36C8CE0F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:04.372{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:04.372{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4330727C2D62E176F9B56271AD44C6F5,SHA256=3769BBFC125C934E9BDCD1C838DC0147BA997BE68ED735205B86C9C2E9A287D7falsetrue 23542300x800000000000000021219569Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:05.695{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745A51B51DBABC290066457F6090FDB8,SHA256=B1788562E040B30E612BFB41B84733EAC2E0F349AF279C9FF0E527E9E7AACB65,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.521{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54541-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:05.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:05.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96C4B16E61C1C3F2159EC370088F2E49,SHA256=3D29A287D51266837D6143E647EDC48856DFDAA600DE244CC51730051D2959DCfalsetrue 354300x800000000000000021219568Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:52.476{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64321-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219567Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:05.055{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73C28AE6A20DDBC63E2855820BDCA4D5,SHA256=77A6666364560040C7220361462B8D0A6B2C7CF56CA99AAB8EEF66C9C1C77396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219566Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:05.055{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FBC6B3DC780E6A0E71CF9E4017D175F,SHA256=033123DB806FBE14E5FFAF18015CD3238CF015159EE45A0BB478ABE9BDBCA0E5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:05.189{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:05.189{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=312C7C28BAFCCBFADD461C937D948494,SHA256=1D4F100F8F1E9651CF72D800DE8478A0CF2443F0AABDBDF30A2B98A9EA377B2Dfalsetrue 23542300x800000000000000021219570Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:06.727{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C7DCE0CB581EF8BC7D2CA8793D1EDA2,SHA256=3E6E146E4D580BB17BF733984ED2D96B2B50201697858050F1F8E009703EF352,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:06.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:06.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BC4481875D07BFE97FF08716F03182,SHA256=B7DB7CF6773FCF55D525A914BBD4FE82688356E6312B2E1813790F55006A015Dfalsetrue 12241200x800000000000000057345278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:06.120{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:06.120{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 23542300x800000000000000021219572Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:07.744{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486D6D61FC67F8FE5BF3AB44788ACDBB,SHA256=BA46A3A430C38ED37EE5612D68BBFFDE0A1A0173412CD7BEEAA3FD8F15637EB6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:38.473{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54542-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 734700x800000000000000057345335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.836{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057345293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.820{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.806{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:07.805{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057345284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.389{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50760F89531ECF745221D96E67492AA1,SHA256=847A4040665DDCC6244A9AC1EB3035672B18C057F5EFF7D759C03D09379E9BE9falsetrue 23542300x800000000000000021219571Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:07.634{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=070E78676806440E8E14A99E629DBC61,SHA256=598B632E49E260B673F0328633FE7CCD17357AD6EC0C3B939464BE25B8F93243,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.121{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:07.121{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB3DB775403E1B86AB79693C21D3571,SHA256=D238E5CCB2CEC53890E04AD755CFA0FF42C23874269753D57922CFB5468A8002falsetrue 23542300x800000000000000021219581Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C76CF37945493546D7952C37D8A33C,SHA256=A98BEEE757EDC8254399AA254FF310B562FB2FFB1393B285A0032EE8B07B0362,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057345401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.737{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057345400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.737{8B6011A9-5B44-618E-40F3-04000000F101}101526556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.737{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.737{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057345397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.605{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.605{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D81B4BE36B1A16554C9098540163872,SHA256=C3C2419AB2EFA49E4D70F5BC73B347FE678EF40E757CAA478BB24F6AC4EFFCFAfalsetrue 734700x800000000000000057345395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057345391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.536{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057345389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 11241100x800000000000000057345384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EAE032D56F3DD8D274628FEA6660EC1,SHA256=6A2C5187A4DB47AEB56EAF52570041A5E932F9A821DF40AA0C1C36B868EC5972falsetrue 734700x800000000000000057345382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.520{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057345367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057345355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057345350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.504{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.490{8B6011A9-5B44-618E-40F3-04000000F101}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:08.489{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x800000000000000021219580Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B44-618E-09CE-08000000F101}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219579Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219578Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219577Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219576Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219575Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B44-618E-09CE-08000000F101}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219574Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.306{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B44-618E-09CE-08000000F101}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219573Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.291{AD5E2759-5B44-618E-09CE-08000000F101}3444C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057345339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}22729768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:08.036{8B6011A9-5B43-618E-3FF3-04000000F101}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219600Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.900{AD5E2759-5B45-618E-0BCE-08000000F101}30925600C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219599Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37528D2FC2F388F567E2F6DB9591C5A5,SHA256=9DC5B2C281EF25B9DF9D9DC70124FA118F8C653E7C83941EF97F7CB2351AF5C7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057345518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057345514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057345512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.854{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.839{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.839{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.839{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.834{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.833{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.833{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.832{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.832{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.831{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.830{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.830{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.830{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.830{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.828{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.828{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.828{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.828{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.827{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 23542300x800000000000000057345489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.826{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44546MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 734700x800000000000000057345488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.826{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057345487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.826{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.825{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.824{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.824{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.822{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.822{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445462021-11-12 12:17:09.822 734700x800000000000000057345477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.822{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.821{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 11241100x800000000000000057345475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.821{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445472021-11-12 12:17:09.821 734700x800000000000000057345474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.820{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.805{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057345472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.805{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.805{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.790{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.789{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057345463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.751{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=352A65930FF5EE134CC5568C11ABF043,SHA256=FB68DDAFA39D6B5901E6CE53245026E1E2FFAA6A1DA61A88C3451AA1785F3B1Ffalsetrue 11241100x800000000000000057345461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.651{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.651{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44E02DE079D0F6E0BE075C846FB5583F,SHA256=9A501DAAAC0CED2ECCC0D59FCF8ABE56242DF550544E738AE32E94DD66BF1222falsetrue 10341000x800000000000000021219598Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B45-618E-0BCE-08000000F101}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219597Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219596Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219595Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219594Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5B45-618E-0BCE-08000000F101}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219593Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219592Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.681{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B45-618E-0BCE-08000000F101}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219591Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.666{AD5E2759-5B45-618E-0BCE-08000000F101}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219590Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:09.290{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73C28AE6A20DDBC63E2855820BDCA4D5,SHA256=77A6666364560040C7220361462B8D0A6B2C7CF56CA99AAB8EEF66C9C1C77396,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219589Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B44-618E-0ACE-08000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219588Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219587Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219586Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219585Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219584Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-5432-6143-0500-00000000F101}412980C:\Windows\system32\csrss.exe{AD5E2759-5B44-618E-0ACE-08000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219583Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.994{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B44-618E-0ACE-08000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219582Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:08.979{AD5E2759-5B44-618E-0ACE-08000000F101}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057345457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}73483376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.420{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057345454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.236{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.236{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E0A1FF007B9B691163190DA1433B1B,SHA256=0A2F102A1A30926D4EAA4D0CB9EB7A92B2143BE2BD1EB62F4675F2162B47A795falsetrue 734700x800000000000000057345452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057345446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.205{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.189{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057345410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.174{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:09.168{8B6011A9-5B45-618E-41F3-04000000F101}7348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:09.167{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219611Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DBA76E8F58C408986958E583C0A5FEF,SHA256=9D56A08A9B4F1EB288E16222A06BD6F4CA3C2B382B77728A0A1902DC4BC8E6A7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.932{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.932{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B77BC0E21921F499B9CB68F579585589,SHA256=791D3CDF267912EB1DCB0BA0896D95555CA2C3072B6995FCE77DA011C2CDDCF9falsetrue 734700x800000000000000057345640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.916{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.908{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057345629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.908{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057345607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057345605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057345604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057345602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 11241100x800000000000000057345601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C63DDE6AF646238C88D4814E00B4E95,SHA256=B83B15FF7C8C11C08635393C96BDF86666ADDD7C0DAD87D14C1B8E5A7AA679FEfalsetrue 734700x800000000000000057345599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057345596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73EA858F572181ED8DC3226F41A17130,SHA256=FB4784885E0183173403777F20ACE3694076FD0CF242D5AD7427AC00AD2831B6falsetrue 734700x800000000000000057345593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057345589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.893{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.878{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.877{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000057345580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.833{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44547MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 23542300x800000000000000021219610Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.697{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EC227F49A1BB95D977AC18DE74771D5,SHA256=41879ED9F42768031957AAA25036F1AAA20C74CFE68CD504DA01A1AA37AF43AE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219609Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.556{AD5E2759-5B46-618E-0CCE-08000000F101}51806004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219608Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B46-618E-0CCE-08000000F101}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219607Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219606Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219605Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5B46-618E-0CCE-08000000F101}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219604Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219603Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219602Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.369{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B46-618E-0CCE-08000000F101}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219601Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:10.354{AD5E2759-5B46-618E-0CCE-08000000F101}5180C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.579{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.579{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.579{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.579{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057345575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.394{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057345560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057345541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057345537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057345532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.379{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.364{8B6011A9-5B46-618E-43F3-04000000F101}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:10.363{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000057345523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.115{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057345522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.113{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057345521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.111{8B6011A9-5B45-618E-42F3-04000000F101}86647328C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.101{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:10.100{8B6011A9-5B45-618E-42F3-04000000F101}8664C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219632Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.931{AD5E2759-5B47-618E-0ECE-08000000F101}1320756C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219631Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C638EFE23DAF9AFF31537B2457D82C7,SHA256=FA848B5EE03F7F213C9B878FFAB73DBED5AD4771C96FA376663229237FE5EFC1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219630Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.759{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=608B2B94F5BE48F8A546BF3E677C28E3,SHA256=EAB7B446D7CDD171D8EDEBCDC8D3F01AB8A1F5A9E1F4A350EF3541C596349ED2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219629Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B47-618E-0ECE-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219628Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219627Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219626Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219625Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219624Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5B47-618E-0ECE-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219623Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.744{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B47-618E-0ECE-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219622Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.729{AD5E2759-5B47-618E-0ECE-08000000F101}1320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x800000000000000021219621Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:57.493{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64322-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219620Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.103{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219619Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B47-618E-0DCE-08000000F101}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219618Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219617Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219616Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219615Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219614Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B47-618E-0DCE-08000000F101}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219613Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.056{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B47-618E-0DCE-08000000F101}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219612Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:11.041{AD5E2759-5B47-618E-0DCE-08000000F101}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.796{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.796{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.796{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.796{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057345699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057345693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.617{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057345662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057345661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.595{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057345656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.580{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.565{8B6011A9-5B47-618E-45F3-04000000F101}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:17:11.564{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 534500x800000000000000057345647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.148{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.148{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.148{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:11.148{8B6011A9-5B46-618E-44F3-04000000F101}3288C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 354300x800000000000000057345643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:41.573{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54543-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219644Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:59.508{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64323-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 23542300x800000000000000021219643Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.775{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EAFC3CD99424822525719C1A74ABC67,SHA256=65D38C6A4CEAE8EA7DE0CE95472B03F4A16D11F17A25610BC8ADF85582379649,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.080{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937925D87CD24EE96DF0D42B390B689C,SHA256=81569199D4A2BD9E2F87B744CFC3AEC8480F7D9E5A9FD4D73393AD1B3AA2ABE1falsetrue 11241100x800000000000000057345707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.048{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.048{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6B8A5B34468FF5B23D3CBC82813C3D,SHA256=945371B5B83255A0EB24FDF51214E0A64775B2916FF123DFB92D13ACFC92AC08falsetrue 11241100x800000000000000057345705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.048{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:12.048{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=235A79D8C7AC4E77798348BB1B7EDDBD,SHA256=9E7E1E40583F68540A087A8F5D11E897096DE5190F54CDF7194093882F3EB4DFfalsetrue 10341000x800000000000000021219642Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.650{AD5E2759-5B48-618E-0FCE-08000000F101}30043876C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219641Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B48-618E-0FCE-08000000F101}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219640Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219639Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219638Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219637Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B48-618E-0FCE-08000000F101}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219636Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219635Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.431{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B48-618E-0FCE-08000000F101}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219634Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.416{AD5E2759-5B48-618E-0FCE-08000000F101}3004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219633Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:12.212{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45029CFBD1B8EF578D46EE0273B74A6C,SHA256=419F045C6C0B02BE8274255AFE200CDB6C893DE833135C9B7C7351E68CBE3FFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219646Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:13.822{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56AB16948A0A0067647466C8E014E38A,SHA256=DAFB42FF47FB881E1EAD83E2ED24AD4F4BF6E5557C0803D403648492EF7502B3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:13.094{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:13.094{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9156F479FFB2951F17219702387776,SHA256=E9B892E1B58AECC0FE766F65B6905788825D517ABC146A1317B90FB2D687D4BFfalsetrue 23542300x800000000000000021219645Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:13.509{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89648A0385667763416906B76DD77ECE,SHA256=8ACFBB82A876A8EE44B26FE80E76A64F6C7EB228AA4AD4E4363764B1ADF7F1B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219647Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:14.822{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D6E557D614D0A8BC7EB413C48CA38A,SHA256=48F540E326EE20000646B9905C6469F4DFAD9AE9BD1EBDF009FCC4151B998917,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.577{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat2021-10-11 18:54:38.077 23542300x800000000000000057345714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.577{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0FDA5DBDAC06E0B0B8C2127D1EB896B9,SHA256=70622DBC9A818CF562E4B2C28388087A9BCAE502DF7455AD78F9D9A46DAFE296falsetrue 11241100x800000000000000057345713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.112{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:14.112{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F72D2A85D2EE168BD2322707306D538,SHA256=777738535EC2137D76603D444544514B1A5D851D4E52E5868E96081B0F11B57Ffalsetrue 23542300x800000000000000021219648Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:15.837{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B341234BDEC2F81EB3E7A5678DB8C5B,SHA256=681E0C4AAE98E27D6EC985E35CE207BE13710D20B3C10CBE7CD41DBE3D10AF4F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:15.130{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:15.130{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787760173ABC4E04DEB7BF5CD47F93B8,SHA256=97ED441BE03CBDB1E74EB42D692F813C01E373BB3F96D9B8A3C780E2DA5B66BFfalsetrue 23542300x800000000000000021219650Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:16.837{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2BE18892FB9EB0C2C170630D8DB2608,SHA256=B2272378EDFB1313DBF254684DD4DEE3165C90F603FFC24A788B5157CA08D823,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:16.244{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:16.244{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CFD130DE93051174AEE71631857C5C4,SHA256=8C62CBB7F198879ABDA80A514085591F46924A55A43E81B1A964140C5DD961E1falsetrue 11241100x800000000000000057345719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:16.144{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:16.144{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E2625CED6EF9D8B6B2E407ABA88898,SHA256=CB20615853255880D71F122C1CC67C8629E1EAD336289FEA203BFB31F08972F5falsetrue 23542300x800000000000000021219649Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:16.259{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A94F863D2D6075F18D84390128587E,SHA256=66DD4936AF2EC390A3E47E0CD93B9AF6FA443DD5C628B33E9351D423A9238417,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219652Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:03.462{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64324-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219651Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:17.837{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8B0D18EC321528ED2A79CDD5602485,SHA256=8D53DDF7037E5E87FF4244CAFCDF89526FC4B414B9B0890105BCE94D8A78A0C6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:47.582{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54544-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:17.146{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:17.146{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D806C4C8BDDF408D081E6044533939,SHA256=D6AB9BD35B7EC44B9667E0E6E33065369775521A8D6AEE51F91746CE7B9A7413falsetrue 23542300x800000000000000021219653Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:18.884{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D273E2E84CB9FF458136B933185D83BF,SHA256=AA20729179FF06F4D5F31B7C47C867A4FEB75A7D5C35A3DB8A5B72DE121B88BB,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:18.391{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057345727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:18.391{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x800000000000000057345726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:18.160{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:18.160{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0B6C0B2DA605B0FC5282BC6B35B966,SHA256=DFBA5CD5DD31329A09E0F5CDBBCEB4FAE1F8C51AAB4F67C828EF4294E36DAEFFfalsetrue 23542300x800000000000000021219656Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:19.886{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1501DC9E64A24116144676247A580A5A,SHA256=2A2AB26E57F175501C2C995FE710D176712218BADFB546EFB4931FFC2D32EEF5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.412{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.412{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=931255CC5F81FAC155160803A8B39F75,SHA256=8AC252F93EE693F363C5D2F84F6E5BE394686EEDB8E610980EAAFF093691A5E9falsetrue 11241100x800000000000000057345730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.174{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:19.174{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6FC4295E875E7430E908C75B64FAA2F,SHA256=BB63A5224BDE3355C4AF852FB518B35FF6C532251EA5859C841A01F5D4BA1188falsetrue 10341000x800000000000000021219655Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:19.165{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-A1B2-6168-2961-04000000F101}3520C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219654Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:19.165{AD5E2759-5433-6143-0D00-00000000F101}7923680C:\Windows\system32\svchost.exe{AD5E2759-5433-6143-0C00-00000000F101}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219658Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:20.894{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFBC249A0A64C537D6B1D0A34A85D30,SHA256=87AB8B3C3FE969F119962BC108640CDE690D6C29247C4F309B5A18F0DEEE577C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:50.744{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54545-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057345735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:50.744{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54545-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 11241100x800000000000000057345734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:20.189{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:20.189{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49CB591784B43E5005AF4E8B8E277C09,SHA256=487AC7AA9B71B0CA899FA419A671BC0889E0A299B3F01037AD28A838FF09DB68falsetrue 23542300x800000000000000021219657Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:20.342{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79908MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219661Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:21.895{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F977431FC694C4C0A268E372ED8C880,SHA256=2231CA91E18507AC1F79D45546A94390F19CEFCC634037345A8D85B2AA45DC83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:21.225{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:21.225{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71BC18C1E0F01F82D1FE454EBFDD2E77,SHA256=F3DE9402BDDB5F3DC6D227A37EF6F34C7023E5A8A7F00D2318531FEDF944FF28falsetrue 23542300x800000000000000021219660Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:21.348{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79909MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219659Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:21.144{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25DA1F5B9744D0568C23BD921712D498,SHA256=EC228065D8C67C91A3468C4EBD47DEAA1B9318EB57DFED1FC35AB7F5AB600A44,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000021219663Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.542{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64325-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219662Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:22.895{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47FD313176A12896C53F06D88F10AB3E,SHA256=44123897069808120A502F6C942FC9EB98BB0B63E8B5E6A39E24EF11D441D775,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:22.256{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:22.256{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265C4EFD9D450F4933FF2CF66E594EF6,SHA256=B9F86FEBCCB0BDC9AE189DD7777185DAE0FD8206C012596200425EE0702B003Dfalsetrue 11241100x800000000000000057345740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:22.224{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:22.224{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91414562B5F9D43786B7837F8092A7C1,SHA256=B0E76EB67DD7D22310F6F40E299FCA0E8A4671D814272BB25E794DB0DDF70BCDfalsetrue 23542300x800000000000000021219664Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:23.895{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82E31B0A8953A1A68EF27AA9494FCC99,SHA256=07617583E311AFFF6E6774FC0E6A46307D7F3C76801838FEA21AF6F18B5E4C48,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.623{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.623{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6DA5702FC5CEF6ADB9AACF14D4530EC,SHA256=EB6DF6A1F97596CD2EB79C83A37E335C6E4B3FDE50B51C3D7FEBC85B036C6036falsetrue 354300x800000000000000057345745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:53.560{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54546-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.304{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:23.304{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF5FC3E7CBCBFEA1EBCF01ABFBB26F9,SHA256=A831642C4D537FC0B11F22FF4CD34A3B1BB2EDBCA683B26F638CA5DFE84CF4F4falsetrue 23542300x800000000000000021219665Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:24.895{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC8491D196A48EFBB1D80F697D6E5C3,SHA256=89137BB6AABEB95A2F492F8D48763D32EFF9C0DA2EA3D69327154E0BB15CBEBD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:24.322{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:24.322{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9212B8BADB393763B1353986B34F461C,SHA256=4A697486021F7063DC5E7E845096283F5EB822DB271C5CAFA739EBCC036AB796falsetrue 23542300x800000000000000021219666Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:25.926{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FC8FC2434C9639BB69CB13E72E32AA,SHA256=2775B37D2ACDB647561BAC098D986B7FFA2BAB695E368AB1EE78292E155B7E7A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:25.337{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:25.337{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAE1B77ED7B940838FC4C9768630C90,SHA256=B9FDCA510E919F4CF2F52A76496A4181EA3F2284854D67DB47EAAF5AE61677B7falsetrue 23542300x800000000000000021219667Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:26.957{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EC42935B2375E10D3B43E26BF11BDF,SHA256=4220118728EAF62C39B333BD661AFEBF03CBB2A50E8184CF99AAED369CF06BB7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:26.351{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:26.351{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A45951BD83710EC905BADF9CB2A304,SHA256=AC85028968DB48283AEE178C7550AD421200325812DE0C9ECC07A9A39059A315falsetrue 11241100x800000000000000057345755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:27.366{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:27.366{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB88791E81CED32839FB02277B1FC7A4,SHA256=D158B6759B013ABF451FA7199D741B87AA9F17DBB649558F4BBDDA03FCC960FCfalsetrue 23542300x800000000000000021219669Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:27.067{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC66E5EA592939C5F379276FBA6A607,SHA256=9ACD7FFB785EC18386225DE6D1047B04755AE5B0562156AC3BA0F265371E08CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219668Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:27.067{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB3C6C1468A346315595A7346A0FA044,SHA256=FF3AAA113C6A07197F2792E43CACBE1D689AFE53306A1054BCEB3B5A5DD994B2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:28.401{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:28.400{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D619563736803F0A322E2D5400BBFF,SHA256=E0D212D3E488FC0CBF065A9B918A99F473E557C76607D6DE48E24069A5DF24C7falsetrue 354300x800000000000000021219671Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:14.472{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64326-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219670Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:28.012{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE263CB676B5DCE316D96D0FFB6F03D1,SHA256=5C023B28B43F4B752B98F1854C95A71953019D9105FE862E7D0C6A3C76D74651,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:28.166{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:28.166{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12018286C22E0B9CF8433712AC632159,SHA256=2261C9D59912E6243DE772FDA536A4B829C59ED538C29780D3D911538855CCEEfalsetrue 11241100x800000000000000057345762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:29.419{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:29.419{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4A319549039432FBC46FC409E2A40C,SHA256=EBEFE63EF95439051FA7C664C1520AF7969A1322D695015BAA17B2B3CA2E0A7Afalsetrue 23542300x800000000000000021219672Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:29.044{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83546365727AD8D1685B836BA130462A,SHA256=47C97290425CFBA52EBE11E7FE62A8E16622BA4C67E565A110290033395862FF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:59.488{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54547-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 10341000x800000000000000057345766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.999{8B6011A9-886D-6164-0C00-00000000F101}8481664C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1500-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057345765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.999{8B6011A9-886D-6164-0C00-00000000F101}8481664C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1500-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.450{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.450{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AF307642E847F20FB4BEF1257D1E2C6,SHA256=68A42BC99FE74A1A49A18167BEAAB05888AD1D98847C5439C47B14332BB788E7falsetrue 23542300x800000000000000021219673Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:30.044{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6750092258B09F24254DA2F226064684,SHA256=90452F2EAEBB43F1AF13F75E7A03823028C9F7922C85B1C04E3AF7718348EC21,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:31.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:31.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A3F41AC0871D21E15847903F1D82846,SHA256=5D942F731706B2E13E6C571872F40C720D01757269D3ECAFCF57240C372AE393falsetrue 23542300x800000000000000021219674Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:31.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DBC1234288071315D9D29664885648B,SHA256=3AD2852C5D0E94D11FB4B1AC2A33D9AC02C494092DBE20EA1D25D8B07726AD4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000057345767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:30.999{8B6011A9-886D-6164-0C00-00000000F101}8481664C:\Windows\system32\svchost.exe{8B6011A9-886E-6164-1500-00000000F101}1252C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057345771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:32.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:32.466{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E7D5C2D6DD055E1875AD9C4A7BC975,SHA256=EFD64345558F51F60785EA599CC33FFCB0B821F67D55ADAD1C32BED70CC20025falsetrue 23542300x800000000000000021219675Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:32.075{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C4D042D99370570E0D7833EEDAF638,SHA256=5B234EACEF01769AEAB46D73C8078E4461982DE40CDD7F11EDB3119A0233D03A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:04.587{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54548-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.503{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D77D9D59C9606E4C9C128A3B53F811,SHA256=2DB9D83ACF5D3F14F1C73A6161DC4BF42EE6A9B9BCE09E1C2FE068C16D209A6Efalsetrue 23542300x800000000000000021219678Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:33.106{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26D80B46A78493054F065C94A5908095,SHA256=0B087C509396D3D9A340DD61FF534724D671A5BEB309EAEDC25B98E14F17AEEE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16538A5875FB6E95564ABFE169A3FA4A,SHA256=F5943FEB6537D54712D5BF4F199DBD1BFBA9B1AA4A91544CBC77E355B08E2323falsetrue 11241100x800000000000000057345773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:33.234{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5DE25D62DD7104B562BA46F66BDA161,SHA256=723B234408D5088CE7E9A13FBD5362638D906E41A9B5EDB01992DAAB6E5D167Bfalsetrue 23542300x800000000000000021219677Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:33.059{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AA01E449291AACCC47A407168247E00,SHA256=D415BCF7B54937F10BB58D59F1E13D259DB95DE6C1E4A84D3BC911AD84405187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219676Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:33.059{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCC66E5EA592939C5F379276FBA6A607,SHA256=9ACD7FFB785EC18386225DE6D1047B04755AE5B0562156AC3BA0F265371E08CA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:34.517{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:34.517{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D65BBBA0A259340CB941B2ECFB6A7E,SHA256=4CBB0D2C4BEBCB44E4651559B716B86E688EA2C4E0E23994178B2D45782A2CD3falsetrue 354300x800000000000000021219680Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:20.465{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64327-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219679Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:34.153{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=341A7B99A2299A91F4DBEC68FCB49D36,SHA256=66834291EFA516BF2AF0380637211D15445332F54F5E535EF063E359D81ED02A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:35.532{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:35.532{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653E2CF1A1B81DFBED46E8D926CABBAF,SHA256=11F356517FA8E2AAFC06755619212BCA3804DD120866860BE72C7592EDD151E9falsetrue 23542300x800000000000000021219681Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:35.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725A22F43A04C6AB5AE2CBCE21D48BE0,SHA256=FB315F275ADA6F655A19E52757F7EDE149333EEEE80471A7AE2EA864BA61A91C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219682Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:36.169{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11E02976F8AE4540A3D24096C37DCBA6,SHA256=619D236CB87C2ADC771772AEC7D57BB4EC200FF7A741283E013287E738238EDA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.568{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.568{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66972EF9B5689F9E19BB811C746F12CA,SHA256=FC89AB1E29EF96DC80522BAE4FBB0EACC0BB339F38EF115967CDE2AC55037E7Afalsetrue 11241100x800000000000000057345784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.405{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057345783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:36.405{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 354300x800000000000000057345791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.737{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54549-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x800000000000000057345790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:37.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:37.584{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7609F908C5F8A4C9D6A2998CE0DFDD5,SHA256=3E08DE352D86E06031C7CBFA9896C2D01D7BF14D8D58147B1C9E15F5866B82CBfalsetrue 23542300x800000000000000021219683Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:37.184{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD56CBF221EBF76468385A693835ED3D,SHA256=E8168C2410C8DC867DE5194526E48EEC76E73198388B6FF23A084D3923650E6E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:37.421{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:37.421{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16538A5875FB6E95564ABFE169A3FA4A,SHA256=F5943FEB6537D54712D5BF4F199DBD1BFBA9B1AA4A91544CBC77E355B08E2323falsetrue 11241100x800000000000000057345793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:38.620{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:38.620{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E54AD55A4AA8BB3A3EE380B157F06A6,SHA256=52FB37FB888830C3E772235A727F9F5C54A6790F42CC120FFBDB08DA9E7E8D43falsetrue 23542300x800000000000000021219686Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:38.247{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6803F073B108C45232FD5830FC3F400,SHA256=4B36EA9EAA53E81DF519E5F027A767FEBFE92091057B8E8E499B291A99FCF856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219685Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:38.247{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8AA01E449291AACCC47A407168247E00,SHA256=D415BCF7B54937F10BB58D59F1E13D259DB95DE6C1E4A84D3BC911AD84405187,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219684Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:38.200{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680ADDF4F5267260115B6951185401B8,SHA256=F3192B53E955E989C701511E5229048A70EA09B903B58C9BD19A5B3DFCBC53F1,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:39.650{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:39.650{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE92A03809FDDA04A49DB86DDEA9FE0F,SHA256=CF3BC4665FFF881E06A81F9D3482EAE97A17995121E6A175D99A45ABC41FDF7Efalsetrue 354300x800000000000000021219688Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:25.669{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64328-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219687Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:39.200{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81B3E35EC8C80E16517D005F1A6441E,SHA256=9DD4E2CFF3DF9DF5DBA04C0721699770F6439C0DE5CF6F990B328B89822A4132,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:39.251{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:39.251{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787784FEFB9D8988379DB8A9E37D440D,SHA256=DEAEA43C8E10CB6FCD23145B492FD646E75567328A3F9C1ACD4F1CC87064CC67falsetrue 354300x800000000000000057345800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.589{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54550-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:40.699{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:40.699{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=833EC401814FC40FEF55C9E046102941,SHA256=06D6C9188A6DE29CFDD1DBDEEAC746A48D3D2C72F4BB959800064E867AAC3970falsetrue 23542300x800000000000000021219689Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:40.215{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B007CF87069FFCE430A3E2ED7B722E8,SHA256=B9B9384612F03A8B34DDE65DFBF41F2630532E74FA530594943AB08714A3ADB4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:41.718{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:41.718{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A7B346996248493BF09B292A8BC11A,SHA256=148185CD0E3F5CCEC5836BC782E1E1C7EEBB20AABF150867C2B19F40F93820B1falsetrue 23542300x800000000000000021219690Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:41.247{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F433AFB2417FFC64888B3CC6C5646324,SHA256=7F3B1F248ECE45B5078021973D84F684D41393A4E260C1016A6B69B09B64FC10,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:42.748{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:42.748{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C52C634639F7711D5BA1789E87D023DD,SHA256=E774E75BE00E3E3C245A933ACEC92696AFD8DDE6A34C90DB4671BF7CE9787408falsetrue 23542300x800000000000000021219692Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:42.294{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38E37C3ED8BC5EAB48FE0CCF28DEC80C,SHA256=39ADF59035C5B8BC11AFD2804DDD522F1CFC109168F29B2402F56D98BF47A4AD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000021219691Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:17:42.122{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7bf-0x4a9ca010) 354300x800000000000000057345809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.463{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-469.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.us-west-2.compute.internal123ntp 11241100x800000000000000057345808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:43.763{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:43.763{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2412A24D63DD5BBE00A919F6EB8F2276,SHA256=5F5D0F85422E3E279A5683F372BAA63812BD1D559F890B8496EAF8FA9592C63Cfalsetrue 23542300x800000000000000021219694Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:43.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513320FF7A7AFE4F8A4EE81550FC9F09,SHA256=537D5BA96E42A8CB3BE1A87356043035995B8EE639BBA8921F68BC783976B4D4,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:43.117{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:43.117{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CE8E5B35C07225F2231CE105E9B997B,SHA256=1B92394C93682D4762EAAE1A400F06EA4709FE65B6BDF2E6282469A6BB116160falsetrue 23542300x800000000000000021219693Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:43.184{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6803F073B108C45232FD5830FC3F400,SHA256=4B36EA9EAA53E81DF519E5F027A767FEBFE92091057B8E8E499B291A99FCF856,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:44.778{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:44.778{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CB80821EC2F57193E6911A5E0F1C89,SHA256=2A87D4D17EECB9D150E54889BB1F640785CE7310429CDBDF42EA89707DAA1EC3falsetrue 354300x800000000000000021219697Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:30.527{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-874.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.us-west-2.compute.internal123ntp 23542300x800000000000000021219696Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:44.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74768D3250989CC4A70A8E023D9EA50D,SHA256=3BE034D1CC775D929BB05143E060F17C2B4AF80A8B1E07118FF9A05A94D5975A,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219695Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:44.262{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=449E4D9D81E270CEC5737EA33F01667F,SHA256=BE8E66054C6BE8FFF3094CEBA7FB4C4DE8BEA394038EF19BBB1D32C69EC5AECC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:45.797{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:45.797{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0305EF1CA75104E9ED293BA35B1BB312,SHA256=C07EE09D331925088E032A075A9D9F048FB236F4DE7158E5B6DA332DAB44785Bfalsetrue 354300x800000000000000021219699Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:31.668{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64329-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219698Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:45.325{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE20B6128B51564B834511A53EAAC19,SHA256=6743951FBF6DE0CBE341B60A96B817B864E7A1F5C4B1A1E65E3D0A4CC814C750,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:45.146{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:45.146{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=245E74532944AD74E535FD24B8C78A5C,SHA256=2B364EF91FE99D3F6378A3B0C52B944E0EDDE73061629A76BB3BA710EE2F7CAEfalsetrue 11241100x800000000000000057345818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:46.814{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:46.814{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19CB8A05F4B7923BB7803D733A200FE8,SHA256=D4E730CB7A34AE780CA63EEC4915D6B56DAD55F7211ABB2E103044F208A02EEAfalsetrue 23542300x800000000000000021219700Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:46.340{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=029477035C5486E1864BB3A096119743,SHA256=88526D1E1DD5D20A85003A80ABD73ADE7CC0D3B1CE56B76699F8369C6ECE99BC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:16.469{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54551-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:47.829{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:47.829{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8981566287EFE081C5F4CCCE9C4DA75,SHA256=F6524A23C9CDBAE5B127017C3F7FCE4323E16820D85050CDF5D2A3EDC59B6B10falsetrue 23542300x800000000000000021219701Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:47.372{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=574E769A86A60F3C87E3503D46B3DF79,SHA256=5FEA440CFDDC993D1A3F6901EF27B20C1402CEAEFB4C652CB00FFD397291733D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:48.944{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:17:48.944{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057345824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:48.860{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:48.860{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007831FE341201E58E7BEC4FCBF3332D,SHA256=98D727A68A54F82BFB9EC10EA92388A4D63B7EC1A1A5B7AAF77AC62C64754157falsetrue 23542300x800000000000000021219702Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:48.375{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1D348E1FD303FF903B9B06B07B3AEF,SHA256=C6AD66F8C8801FD98FD3539BB9BB87F6A243F13B9306FD9CE93B9A79C89E8EE3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:48.613{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:48.613{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAADE87B8F364A737F2A0C93967655CE,SHA256=39536312C92B685EEF35A1D388E4905DB75D874DEEF22436C6C693E653473ECAfalsetrue 11241100x800000000000000057345831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:49.975{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:49.975{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1C525BA4FDAC128CDFC8CBB9840D1F5E,SHA256=FD871CBAECDC511D9A70ED70C5906B8365D82D5FF90189D2114A6076235DEDBAfalsetrue 11241100x800000000000000057345829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:49.875{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:49.875{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71B21598B773448DDBB4D026B484122D,SHA256=BB363617FE9A5E6F90B1E766F4BF28914F8096506D0B5A5224E28868AA4D2871falsetrue 23542300x800000000000000021219703Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:49.391{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB473A9EA748BB04E7E4B728BCCF8403,SHA256=0A8D912FBBF2D1CD376BECAC2120679561C8996AC356C21BAC3136A7A9C0A72F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057345827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:17:49.013{8B6011A9-886D-6164-1100-00000000F101}420C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7bf-0x4eb82206) 11241100x800000000000000057345835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:50.895{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:50.895{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2866B43D0200C083E0A318106115A5E,SHA256=ADFDE56CC2E7AD3A507F3B6CF43373D8A8C09C9A35CE8E07C98296018FAD635Efalsetrue 354300x800000000000000021219707Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:37.491{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64330-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219706Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:50.422{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=927096AD38E33135255B96AD79139067,SHA256=D2FE044D1DB7B3A039F04C75C624FAFBFD958F6EEB6115613E5FBE7D8D48906C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:21.528{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54553-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057345832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:21.298{8B6011A9-E46E-6165-1E2A-00000000F101}4584C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54552-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 23542300x800000000000000021219705Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:50.079{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A2B89A0E77195ABA717F8E3F93B8473,SHA256=164FA25A0C268B2E946A56E34740A2A93FC242529ED2120CB7163E759E4E4F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219704Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:50.079{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAB76BF43ED4071058345185CA7A4482,SHA256=7159FFD850E9A4016918D6BBEFE5A34CEE9DEA9C3F4D8CDB6FE9CD47DBC61D68,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:51.927{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:51.927{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B58F577E8DDC044AC3ABEB5D3C677E8,SHA256=7A2367E83DBEFD5C274842D69CC1E2E43A95779ED68D70AC2E8E49E5F2CB1BE5falsetrue 23542300x800000000000000021219708Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:51.485{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B24492B92FC48EC62B5A7E804E9939E,SHA256=37DF4A76F1A8BAEF32C71D585F6608B3C208E8C8876D276A1A01D6984190141B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:52.928{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:52.928{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC5DF6FA69B45957DC523DD166990E79,SHA256=3FCE1C8D1639F1EDEDC27EDBCCC83DF4E13847A8C64875241ECF76C73737CF9Afalsetrue 23542300x800000000000000021219709Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:52.500{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=140687E24E0BA8B73D3323E0FF6F5129,SHA256=4313FF3ACFE3D9344B8E067DF00ECECBEFE613D13413170F4B3D4A38ED678D27,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:53.929{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:53.929{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D26F73CD423777A7BFD03813DAE94D,SHA256=D82A97DEFC295FFC1B47CB6952F2244918C0BAAC36D18311468D1FBD17724922falsetrue 23542300x800000000000000021219710Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:53.500{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1622A51CCE88B5F137130B01F4EC88,SHA256=97C1AB51BF94BE2C36BC6FE61A87C0B813CA7474B861EC75904DC46BEA7A2B8E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:54.944{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:54.944{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=925F8C663526E9C45492C9917B97860E,SHA256=8069FA06A28212F4D302CC144A87347F7D21EA793B1C8A95A6A1F5F8282ACA3Afalsetrue 23542300x800000000000000021219711Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:54.532{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7BF778DBC7800A377A951E839790E2,SHA256=FCB915FF8251532286AB0F2E859E2B047167064F0FF17A50796D4BA0D1D16A04,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:55.959{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:55.959{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D9AEEBA56C4F2ABF7534CB2955455C,SHA256=9BFB19A46E2297F3E1FD1B61801178044B34F42ACA43EAC30B6ECEDE94C6033Bfalsetrue 23542300x800000000000000021219712Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:55.532{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E85A03B6F30A7F96D0F1A4D4E44945,SHA256=40F73918A0CAB63672D649E709CB2A63DAD2A949A4572D01C0A526509A6DA604,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.960{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.960{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD2CFAF217890E0A0F3997668521428,SHA256=0248C6C45E173510E31F245219DC5DC786A8DEDE8413185045E13235A8F0277Afalsetrue 354300x800000000000000021219716Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:43.532{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64331-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219715Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:56.532{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B437E107B323A3840551825FB6AB050,SHA256=C1703E72EFFE27726B69DB15E4C495BD41E12CC8535C2F6D2902EC7EDD6C2E3F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:27.465{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54554-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057345849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.128{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.128{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1692710BBB88BA04C27F2333F2F630A,SHA256=D0DF7AB8950083966AE7291D7D7757D15C7F4B21EF2182FCC346BF5CB9EB1E16falsetrue 11241100x800000000000000057345847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.128{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:56.128{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB45AD670FA1838F9DF7825CCAFAAD23,SHA256=D3AA4576019765C37F016CABA10E8FB11CD6CD6C733C83D900F8609185864729falsetrue 23542300x800000000000000021219714Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:56.157{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603EAC62BAADE2C1451F772446763C90,SHA256=6A36142B3ACECEAA67129D0A335655C40BC72AA48DA131054AC00311B330F872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219713Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:56.157{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A2B89A0E77195ABA717F8E3F93B8473,SHA256=164FA25A0C268B2E946A56E34740A2A93FC242529ED2120CB7163E759E4E4F8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:57.994{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:57.994{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A378CF63BA645E3DC691D679EE617216,SHA256=3A1FB6CC64F50829F2ED186C525FCC1E9F095C09561B88046E4A5BCC124170A9falsetrue 23542300x800000000000000021219717Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:57.532{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D79D0A2B73BC4DA4FB43B3D716C9F73,SHA256=291E38221782922D0A9F7147D4808FFF5C8D315140A70099E2EA86EADCA37E9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219718Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:58.579{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF079564261B11E3766DCE36477A8401,SHA256=5E9FC3E1BEA97CE9695C3DAF64E4E88B6FEFCCA6B7565A0AE0ECE7866FF69FC2,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219719Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:17:59.610{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ABDF94F76C685A0AA280A8824A578CC,SHA256=D3B8A8ED7E2389AAB7D9AEA50EAB3307D3DD67C5FAB12717B7F8A1D71EB6F0FE,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:59.011{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:17:59.011{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9A29E01341659087311D4BA7B23338,SHA256=626AB28C49F96AFCF8B60A9FE5A58CDB9F6EE7D7CD1439BB6DFCDA09D7CD737Dfalsetrue 23542300x800000000000000021219720Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:00.625{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2F670873905B24A456E979AE1DB9B8,SHA256=0A6547D6213CB469CB7C12EF59036AAFDAAA95038434EE7ACC68016951339829,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:00.027{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:00.027{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5384E93D958E6261345C72C04E14B2,SHA256=21B28E99A8DDD4E52879F5E3CD724389DDA5C3E66BF7606C8CA211BB9A4776B1falsetrue 354300x800000000000000021219724Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:48.594{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64332-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219723Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:01.657{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DFB95D7C31D7497B104FAEDBCCF235,SHA256=D16394A657AD288E44890E61C622371C5C90E7457E190E2CE826ECB6AD0E5A00,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.228{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.228{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA86D5F71CB4B87C4C9DA6E354632F7D,SHA256=E1275CB85D55D2988C895A593445BE2D333B8D69EAD83AC841D58660DC6770B8falsetrue 11241100x800000000000000057345862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.228{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.228{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1692710BBB88BA04C27F2333F2F630A,SHA256=D0DF7AB8950083966AE7291D7D7757D15C7F4B21EF2182FCC346BF5CB9EB1E16falsetrue 11241100x800000000000000057345860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.028{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:01.028{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CD0A7D7967152C1151C0D99C8F1872,SHA256=693ABBB82FDEF07EC38E436CD7C5BA931DB3E72F13FF5D010FF4C6BB797D13CEfalsetrue 23542300x800000000000000021219722Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:01.204{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B0213E9144B3D9E778446D62D3233B4,SHA256=7DEBAA8F0D3B4CD046B319639121D8B60C77AB4EEBFD80109A2758D25189AF7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219721Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:01.204{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=603EAC62BAADE2C1451F772446763C90,SHA256=6A36142B3ACECEAA67129D0A335655C40BC72AA48DA131054AC00311B330F872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219725Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:02.657{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2A761A6A4A061CEAA26247ABA78F8BB,SHA256=DBB9E218FB8BBF2EA6F0A771B0C321A03BD9A4D9074FA96DBF277460A42E950E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:02.575{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:02.575{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 18141800x800000000000000057345868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:02.343{8B6011A9-887D-6164-2D00-00000000F101}3020\lsassC:\Windows\system32\dns.exe 11241100x800000000000000057345867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:02.028{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:02.028{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C30FC9073374F16201D4A517FABB5DC,SHA256=BDDF40101C2C960108D4553E0E5B4DF56E5904FAE37ACA2945AA0E0DE04C5C78falsetrue 354300x800000000000000057345865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:32.566{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54555-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219726Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:03.672{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A607AFFAFD73955767F6FCB84E8EF82,SHA256=31BDFDEA5942B86D442734DF80F6396BFC7CB6A78F7D2E0955D0E144CF0B847C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:03.575{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:03.575{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA86D5F71CB4B87C4C9DA6E354632F7D,SHA256=E1275CB85D55D2988C895A593445BE2D333B8D69EAD83AC841D58660DC6770B8falsetrue 11241100x800000000000000057345872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:03.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:03.074{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA16D9BBD4C2FCD4EEF1C1A0443F2419,SHA256=059460F8F621CA9D65E48AAC3BE1C175307836A41A18B76099D598B57EF7A8A2falsetrue 23542300x800000000000000021219727Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:04.672{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C6D715D3D1454560D6FB565B3C15606,SHA256=527816EA67A79C7847B39F7850BE1AF38A661823F81FFE7403E730F991AF59F5,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057345876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:04.075{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:04.075{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A27101FF1E5B1B37F0C7CC2E31C2D4,SHA256=5896ACA88FB50DFD527082874464C86E0424152B0D576E73196E2B8A67C295F6falsetrue 23542300x800000000000000021219728Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:05.688{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FCA166BC6D8A5141F1BE6404F7C7EC,SHA256=13382C737D0E0AE900BDA74DF593421A92ACA6FB5A9E2FC55AEA9C2EDBC17BA8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057345879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.928{8B6011A9-88DD-6164-B500-00000000F101}5592C:\Users\Administrator\Desktop\beacon.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-469.attackrange.local54556-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 11241100x800000000000000057345878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:05.093{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:05.093{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB10946B6C92AEE8E8AEB4B96BE12AB9,SHA256=9662ACDE32B62C93B1F5AB519DDE67E4839909ABA42B2D7B998A5E6DB436ECD6falsetrue 23542300x800000000000000021219729Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:06.688{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=268909AEF9FF4E840E047AF5CEEEB2A4,SHA256=A58ADE32C4F6E3559232CFB3AD617F722FA21283145FC213829E4D411EB79E98,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057345883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:06.142{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057345882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:06.142{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections 11241100x800000000000000057345881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:06.110{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:06.110{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B351B166541C060D38A50A44CA102AF,SHA256=A10775B465216D4CE506808C85D7755B02909AF6EFC252FD32B492D31CA45E22falsetrue 354300x800000000000000021219734Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:54.485{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64333-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219733Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:07.706{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C3AABAC114DF6DCB2D651FEFFC4A226,SHA256=69396D5AC681A8A0FF6BD3C40A749FA555920B689999601E10A21DA821AD52B8,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057345943Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057345942Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057345941Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057345940Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345939Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345938Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345937Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345936Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.856{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057345932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057345910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057345909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057345908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057345907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057345906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057345904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 10341000x800000000000000057345901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3trueSplunk, Inc.Valid 10341000x800000000000000057345896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.840{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.826{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:07.825{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057345887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.156{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057345886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.156{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ED3DB46E9FF4A430B5B63F63E6F805F4,SHA256=EB6E756FA2D01CC99C15073129755B7A42CD59480128931596CD22EAAA8D001Efalsetrue 11241100x800000000000000057345885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.125{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:07.125{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609985E38001FC322276CD504644B4C0,SHA256=B285DE0F2133BB95AC62E4CA7A4212FEE7034E9C905E9AD926B32E5822D600F9falsetrue 23542300x800000000000000021219732Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:07.643{AD5E2759-5433-6143-1200-00000000F101}292NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F22457DEFF872D4E92D746F484E67C4E,SHA256=706123C678712660BEA19A59FD62E91B7A743AE461DFB5C42C260E85287B3821,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219731Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:07.266{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB49F7C54B98EDB1F014020C7EBBA05C,SHA256=DD2A7F552A9FB6EB091ECD4CC222387ABD30F73326311A6EF7EDA20C9897BEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219730Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:07.266{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B0213E9144B3D9E778446D62D3233B4,SHA256=7DEBAA8F0D3B4CD046B319639121D8B60C77AB4EEBFD80109A2758D25189AF7D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219743Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.721{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FBFFE61C8919A76E0A503733115B474,SHA256=D0BB62280410D20BA5B0DAE8B4D7DB81A2663A6786682138144B0BCC3A46D4EA,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057346009Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.757{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057346008Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.741{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057346007Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.741{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346006Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.741{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057346005Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.610{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346004Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.610{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25D435EA6EF52C0E5627DA5A40D961D6,SHA256=ADC9D4832AEBA2C0574F68F90D4F124662A1622CFB07486B9FEA26FE8F576B54falsetrue 734700x800000000000000057346003Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346002Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346001Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346000Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345999Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057345998Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe 734700x800000000000000057345997Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057345996Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057345995Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.541{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057345994Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057345993Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057345992Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057345991Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057345990Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057345989Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.4169 (rs1_release.210107-1130)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=D21FAA584F844E61375D95B5BE9115EE,SHA256=E221EA0081FDE7AAAD71A38016A8D470082B3732E9ED2D8ED7C97E9F41AF0045trueMicrosoft WindowsValid 734700x800000000000000057345988Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057345987Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057345986Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057345985Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057345984Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057345983Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057345982Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057345981Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057345980Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057345979Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057345978Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057345977Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057345976Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057345975Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057345974Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057345973Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057345972Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057345971Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057345970Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057345969Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057345968Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057345967Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057345966Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057345965Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057345964Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057345963Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057345962Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057345961Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2trueSplunk, Inc.Valid 10341000x800000000000000057345960Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057345959Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.525{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057345958Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.511{8B6011A9-5B80-618E-47F3-04000000F101}5088C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057345957Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345956Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345955Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345954Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057345953Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057345952Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:08.510{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057345951Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.292{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057345950Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.291{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9836E192351629353FF64E20E45C149D,SHA256=BBDC4C7D8F0E2D4E403A670A7EB3BC4896854D05A5348819F8EC03F227DEDE9Cfalsetrue 354300x800000000000000057345949Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:38.541{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54558-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000057345948Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:38.495{8B6011A9-891D-6164-C500-00000000F101}2944C:\Windows\System32\rundll32.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54557-false34.218.235.219ec2-34-218-235-219.us-west-2.compute.amazonaws.com443https 10341000x800000000000000021219742Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B80-618E-10CE-08000000F101}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219741Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219740Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219739Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219738Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219737Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5B80-618E-10CE-08000000F101}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219736Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.331{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B80-618E-10CE-08000000F101}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219735Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:08.316{AD5E2759-5B80-618E-10CE-08000000F101}1340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057345947Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.025{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe 734700x800000000000000057345946Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.025{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057345945Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.025{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057345944Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:08.025{8B6011A9-5B7F-618E-46F3-04000000F101}5676C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219762Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.956{AD5E2759-5B81-618E-12CE-08000000F101}35963928C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219761Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.721{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5EF989A6F3D98EEA7765C1F21A0988,SHA256=75F584CD843177424ACE6BCA28C9FF0541EA7520AE57FB20D2C998A92DDB0703,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219760Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.721{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B81-618E-12CE-08000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057346123Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.940{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346122Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.940{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B86A2851E017E0EE53D83C823818EF3E,SHA256=A428D29D0914F49BD2E43297BEF0FE1864873B5F539238EFCEBF62C0CD404D17falsetrue 734700x800000000000000057346121Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346120Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346119Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346118Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057346117Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346116Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057346115Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346114Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346113Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346112Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346111Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346110Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346109Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346108Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346107Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346106Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346105Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346104Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346103Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346102Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346101Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346100Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346099Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346098Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346097Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346096Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346095Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346094Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346093Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346092Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346091Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346090Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346089Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.909{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346088Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346087Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346086Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346085Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5trueMicrosoft WindowsValid 734700x800000000000000057346084Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346083Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346082Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346081Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346080Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346079Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42trueSplunk, Inc.Valid 10341000x800000000000000057346078Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346077Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.893{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346076Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.888{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346075Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.888{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346074Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.888{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346073Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.888{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346072Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.888{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346071Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.887{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346070Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.887{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057346069Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346068Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8622DE87622B1CA73A565E32785D731,SHA256=287AC84DB01A577938C2B24465A781B7B108B1723970281861AB1ACB29957CE5falsetrue 534500x800000000000000057346067Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346066Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057346065Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}8969392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346064Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346063Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.425{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057346062Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.257{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346061Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.257{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16235399325B0282CBB974578B795859,SHA256=341F837762F0882610353837CCA9E14E9CF73A4CD26B7B822CA7F26FE557A1DCfalsetrue 734700x800000000000000057346060Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346059Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346058Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346057Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346056Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346055Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346054Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346053Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346052Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346051Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.241{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346050Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346049Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346048Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346047Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346046Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346045Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346044Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346043Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346042Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346041Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346040Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346039Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346038Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346037Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346036Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346035Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346034Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346033Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346032Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346031Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346030Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346029Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346028Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346027Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346026Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346025Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346024Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346023Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346022Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346021Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346020Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346019Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057346018Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-8868-6164-0500-00000000F101}424440C:\Windows\system32\csrss.exe{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346017Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.226{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346016Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:09.211{8B6011A9-5B81-618E-48F3-04000000F101}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x800000000000000021219759Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219758Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219757Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219756Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219755Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B81-618E-12CE-08000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219754Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.706{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B81-618E-12CE-08000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219753Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.691{AD5E2759-5B81-618E-12CE-08000000F101}3596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219752Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.315{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB49F7C54B98EDB1F014020C7EBBA05C,SHA256=DD2A7F552A9FB6EB091ECD4CC222387ABD30F73326311A6EF7EDA20C9897BEE0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219751Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B81-618E-11CE-08000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219750Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219749Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219748Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219747Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219746Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B81-618E-11CE-08000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219745Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.018{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B81-618E-11CE-08000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219744Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:09.003{AD5E2759-5B81-618E-11CE-08000000F101}6016C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346015Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346014Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346013Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346012Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346011Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346010Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:09.210{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219773Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.768{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8F3FCD0F56B2D13FEA15482B879BFD6,SHA256=B3059DA76BF4F7F1FAAB49713012DF4235A9819B09715681A595737A439462F3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219772Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.721{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86C69DED21CF1EC3BC562080A9DE05C6,SHA256=52BA802EB27CE5FA3665F956225C98EE1F657525338153DFEDDB5D7640CD7355,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346188Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.909{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346187Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.909{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70C054212C894B2670C46330FF246E67,SHA256=AA8A781BE26B822402090C990832906E0F84A19B1AF12B07418D402DB5A1E75Ffalsetrue 534500x800000000000000057346186Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346185Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057346184Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}61962352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346183Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346182Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.655{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057346181Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346180Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346179Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346178Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346177Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346176Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe 734700x800000000000000057346175Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346174Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346173Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346172Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.424{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346171Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346170Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346169Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346168Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346167Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346166Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346165Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346164Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346163Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346162Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346161Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346160Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346159Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346158Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346157Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346156Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346155Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346154Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346153Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346152Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346151Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346150Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346149Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346148Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346147Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346146Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346145Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.408{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346144Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057346143Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346142Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F97661809011EF29B750297C6DFAEFF6,SHA256=6D5F05DC26FFE71B5CDDBEE14AC38B471DB3F17BE3058424C0082C88013C9BC0falsetrue 734700x800000000000000057346141Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346140Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346139Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346138Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241trueSplunk, Inc.Valid 10341000x800000000000000057346137Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346136Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.393{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346135Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.388{8B6011A9-5B82-618E-4AF3-04000000F101}6196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346134Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346133Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346132Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346131Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346130Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346129Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:10.387{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 10341000x800000000000000021219771Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.597{AD5E2759-5B82-618E-13CE-08000000F101}33002884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219770Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.409{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B82-618E-13CE-08000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219769Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219768Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219767Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219766Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219765Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-5432-6143-0500-00000000F101}412428C:\Windows\system32\csrss.exe{AD5E2759-5B82-618E-13CE-08000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219764Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.393{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B82-618E-13CE-08000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219763Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:10.378{AD5E2759-5B82-618E-13CE-08000000F101}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 534500x800000000000000057346128Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.124{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe 734700x800000000000000057346127Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.124{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 10341000x800000000000000057346126Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.124{8B6011A9-5B81-618E-49F3-04000000F101}85806336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346125Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.093{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346124Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:10.093{8B6011A9-5B81-618E-49F3-04000000F101}8580C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 10341000x800000000000000021219792Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B83-618E-15CE-08000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219791Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219790Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219789Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219788Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219787Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-5432-6143-0500-00000000F101}412528C:\Windows\system32\csrss.exe{AD5E2759-5B83-618E-15CE-08000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219786Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.785{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B83-618E-15CE-08000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219785Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.769{AD5E2759-5B83-618E-15CE-08000000F101}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219784Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.737{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68F3CEF7DE1BC01E2FFEE5E1CC26AB76,SHA256=73608771BB88E2336A094FCF7656E36EA0FFF40425D05E8DC26D46DD1F746E3B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 534500x800000000000000057346307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.905{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057346306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.903{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057346305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.901{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.901{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 734700x800000000000000057346303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057346299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe 734700x800000000000000057346297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.677{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518FtrueMicrosoft WindowsValid 734700x800000000000000057346266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.659{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3trueSplunk, Inc.Valid 10341000x800000000000000057346260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.643{8B6011A9-8868-6164-0500-00000000F101}424520C:\Windows\system32\csrss.exe{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.644{8B6011A9-5B83-618E-4CF3-04000000F101}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.643{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 11241100x800000000000000057346251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.427{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.427{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4FA8807897288D578EC4A5674A8A79,SHA256=0A3A91F308710F71F665D14BE1F96D66E85F377FEE55449D18F0F8E35509F06Ffalsetrue 10341000x800000000000000021219783Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.268{AD5E2759-5B83-618E-14CE-08000000F101}55484772C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x800000000000000021219782Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.127{AD5E2759-54C7-6143-A600-00000000F101}4072NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000021219781Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B83-618E-14CE-08000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219780Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219779Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219778Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219777Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219776Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-5432-6143-0500-00000000F101}4122832C:\Windows\system32\csrss.exe{AD5E2759-5B83-618E-14CE-08000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219775Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.096{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B83-618E-14CE-08000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219774Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:11.081{AD5E2759-5B83-618E-14CE-08000000F101}5548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000057346249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.361{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\respondent-20211011185456-44547MD5=53085563A3ABB9F3808759992432B215,SHA256=10E8415EFF195E3F3A29733AD6341E818F88D003F4EF1749654882A61D67B63Bfalsetrue 11241100x800000000000000057346248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.359{8B6011A9-887F-6164-4300-00000000F101}3568C:\Program Files\Amazon\SSM\ssm-agent-worker.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\respondent-20211011185456-445472021-11-12 12:18:11.359 11241100x800000000000000057346247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.358{8B6011A9-887D-6164-2C00-00000000F101}2924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\tmp\surveyor-20211011185454-445482021-11-12 12:18:11.358 534500x800000000000000057346246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.195{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 10341000x800000000000000057346245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.195{8B6011A9-5B83-618E-4BF3-04000000F101}91845512C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.195{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146trueMicrosoft WindowsValid 734700x800000000000000057346243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.195{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1AtrueMicrosoft WindowsValid 11241100x800000000000000057346242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.071{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.071{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CCAC84F9D0778B0C4741763D55854FC,SHA256=0DFA81EA9EDAEC8C0A200AAB09B20501A512ECC7E12BCB050D53F2DEED0CC86Dfalsetrue 734700x800000000000000057346240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FEtrueMicrosoft WindowsValid 734700x800000000000000057346239Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862trueMicrosoft WindowsValid 734700x800000000000000057346238Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778CtrueMicrosoft WindowsValid 18141800x800000000000000057346237Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184\srvsvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057346236Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.056{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.0 (rs1_release.160715-1616)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=656F846CAED76C6FC5C76E8BACEF4EF6,SHA256=DFDE27C086764ACC1EA3E6A4E2BA50C2AB532F9E1D99203861F51910A8D850FBtrueMicrosoft WindowsValid 18141800x800000000000000057346235Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184\wkssvcC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe 734700x800000000000000057346234Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346233Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346232Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346231Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=F55166956AEAD05A141BA7E80B90AB7B,SHA256=B9BCF21D7F7E771C388C469B2611E8946166C62005B56D72421060DABFF7093FtrueMicrosoft WindowsValid 734700x800000000000000057346230Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057346229Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.3269 (rs1_release.190929-1234)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=12D6C3E8AC705BB42D377C05714F551C,SHA256=E67F6DB96F062A319312C365F1F55B2B38B0F90B77FFDA2522418709CBA45EB3trueMicrosoft WindowsValid 734700x800000000000000057346228Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54trueMicrosoft WindowsValid 734700x800000000000000057346227Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9trueMicrosoft CorporationValid 734700x800000000000000057346226Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FFtrueMicrosoft CorporationValid 734700x800000000000000057346225Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=6445BD4247E3956B244772F3C415585F,SHA256=2B08FC9E160AD0F698226DA3E30A12551E8EBCCA1E7287E3915EC62B58151A78trueSplunk, Inc.Valid 734700x800000000000000057346224Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.040{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=98978F08A7A0D24C92FE8DC5287A8258,SHA256=CBB940A38E834C0BE44884C667863F76D6700D564043F90B3EB813370C3174E7trueSplunk, Inc.Valid 734700x800000000000000057346223Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=F30BB43EC30BE50400780223450492CD,SHA256=867D0453E285A5C29A4EFA039D2399662DCCAC98F88C46B0A41CEFB6B68DD836trueSplunk, Inc.Valid 734700x800000000000000057346222Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=D98BAB348C28C8CFCC11EDB575E2557A,SHA256=ADA3F1256B175ECC390F126D2730D7A1AAB5A53F1AF205A7667D8010416602F9trueSplunk, Inc.Valid 734700x800000000000000057346221Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2tOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=B20FA07A7A61791EE537B5945429E141,SHA256=EF53BC2AB58BC548EFA249B0B8F2E1FBB9D4739EF27B0C67DFF1468D555329D3trueSplunk, Inc.Valid 734700x800000000000000057346220Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.9libxml2 librarylibxml2-libxml2.dllMD5=0E7B7B3B25A2F094EB3A7BAF471154B8,SHA256=6CFAC8D8D5B7345F2C6CC82CBF8F9DD475881EA260346BE283E52B822F2CCAC1trueSplunk, Inc.Valid 734700x800000000000000057346219Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=B8D3119CE62331C6A9B170DA0A608F28,SHA256=7D6C6B7C542B4E67AA468FEB12044E2EE34CE8F8A68C7665D7861F3363B6E66AtrueSplunk, Inc.Valid 734700x800000000000000057346218Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438trueMicrosoft WindowsValid 734700x800000000000000057346217Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346216Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346215Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 734700x800000000000000057346214Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346213Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346212Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346211Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346210Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346209Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346208Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346207Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346206Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346205Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346204Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346203Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 10341000x800000000000000057346202Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-BB8B-618B-50A0-04000000F101}92124768C:\Windows\system32\conhost.exe{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346201Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346200Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346199Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346198Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8trueSplunk, Inc.Valid 10341000x800000000000000057346197Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-8868-6164-0500-00000000F101}424548C:\Windows\system32\csrss.exe{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346196Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.024{8B6011A9-BB8A-618B-4CA0-04000000F101}74521152C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000057346195Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:11.010{8B6011A9-5B83-618E-4BF3-04000000F101}9184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{8B6011A9-886B-6164-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 18141800x800000000000000057346194Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346193Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346192Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346191Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 18141800x800000000000000057346190Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 17141700x800000000000000057346189Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:11.009{8B6011A9-BB8A-618B-4CA0-04000000F101}7452<Anonymous Pipe>C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe 23542300x800000000000000021219803Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.752{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48C7BC47232FC914A7278A76F066F8CD,SHA256=C40CF397CE38A131D45B0F70F02EABA04B57C923710E3EE781B85AE1912FC129,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.648{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.648{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10E3AFC41BFE18DF7EC28B338EDA6791,SHA256=F47EF0B127CA242814EBD89DD6E4207C7B08E6CB0F86F216E4C7320F509CFBE0falsetrue 10341000x800000000000000021219802Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.628{AD5E2759-5B84-618E-16CE-08000000F101}59163248C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219801Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.424{AD5E2759-54C7-6143-AA00-00000000F101}35682904C:\Windows\system32\conhost.exe{AD5E2759-5B84-618E-16CE-08000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219800Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219799Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219798Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219797Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5433-6143-0C00-00000000F101}7325636C:\Windows\system32\svchost.exe{AD5E2759-5434-6143-1F00-00000000F101}1140C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000021219796Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-5432-6143-0500-00000000F101}4122828C:\Windows\system32\csrss.exe{AD5E2759-5B84-618E-16CE-08000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000021219795Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.409{AD5E2759-54C7-6143-A600-00000000F101}4072516C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{AD5E2759-5B84-618E-16CE-08000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x800000000000000021219794Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.394{AD5E2759-5B84-618E-16CE-08000000F101}5916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{AD5E2759-5432-6143-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x800000000000000021219793Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:12.299{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31767260D66F8F207FC13CD0E7AE2736,SHA256=1BC9D5AA5F5A4CDB965C18E4813408A56AD0CFEDAE6D37B8959355112D53467F,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000057346310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.364{8B6011A9-887D-6164-2C00-00000000F101}2924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0babd73079828ea96\channels\health\surveyor-20211011185454-44548MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7falsetrue 11241100x800000000000000057346309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.017{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:12.017{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD74F94F4BB8854E71C31147B9794808,SHA256=3F9770A5B2BC0C54E22EF905DFDD87FF4CAA0436005A3A7871AEC9439CB493AEfalsetrue 23542300x800000000000000021219805Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:13.784{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDEF5C8A90318520CD352719CDC44472,SHA256=2B702825C32BC146FEAECB561AAE534087CAE7458D1293752952695D5262F342,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:13.663{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:13.663{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E091569778425C51A1294EE91BCFCF77,SHA256=2516CB17E5FE7A0D144DDF6C517215ACDC4731D29DB1F65C7CA40BB4AB03D9DFfalsetrue 23542300x800000000000000021219804Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:13.393{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=727A8B2726EEF5716B1BEAB868F45180,SHA256=AA484DEA0BF1D92EF733554758388CB84A2BEB1E935DCA763E0931662B2D3842,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:13.179{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:13.179{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B539494C25106B82AD9A28E24E2E4FF4,SHA256=4C4C61FE3DB1141A4194A1113452AAB34FFD982FD71C9BDB4A3DF4AAFF42E5BCfalsetrue 23542300x800000000000000021219808Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:14.815{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFEBC30E26E45566D6F3B9A3DAF44ED1,SHA256=BD00D8B3E68C9DF16905C9582AE5C2278DFEA2ED39EE5A11F82F475E218B2E4B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.677{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.677{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13DDD3B2E46E05AA684528E6C7EBAE98,SHA256=AD077E035ECF2914625BA3C99785CF58FA92BE416EB7ABADDDB6749C7F789B69falsetrue 354300x800000000000000021219807Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:00.487{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64335-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 354300x800000000000000021219806Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:59.534{AD5E2759-54C7-6143-A600-00000000F101}4072C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64334-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x800000000000000057346319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.578{8B6011A9-886D-6164-1200-00000000F101}460C:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat2021-10-11 18:55:38.088 23542300x800000000000000057346318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:14.578{8B6011A9-886D-6164-1200-00000000F101}460NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=ADC6794AD3BAE55B8B7DB6942578599F,SHA256=C7C0E0CA504E96394ADA6BBD863938ABBC992903B48CDADA124057AF5B3102CFfalsetrue 354300x800000000000000057346317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:44.516{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54559-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219809Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:15.846{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065E93CEE26AB53D3DC66A07456CE91D,SHA256=0AEEF94A0D6E5CD719B4B831BE0677FC2295390A07DF68C3C9999C171F6EAD81,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:15.693{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:15.693{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D50E4303D0786CDBE0F42E1E603B30A,SHA256=6F5FBD3FB7EC19127197C44C8843D76190483E2DB39FB44800E5034FC14C8435falsetrue 23542300x800000000000000021219810Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:16.846{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E4ED40A70A515CBE5202B05EED2CA5A,SHA256=5C51FA3D7545FB3C28D3CB2C7DD7D677BE9596AC6F401563A5A266E3A170ADAF,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:16.729{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:16.729{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84295DB30BD8A8AF091D714A02B52DB6,SHA256=5CB8FC1A4C59DD9C75C638159E0872E29163EF699948A66D7C14E968D9CD9390falsetrue 23542300x800000000000000021219811Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:17.893{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D21B4D041921671681E19DA1FDF9AA,SHA256=3BA6F269F3262BA19F37016A6B898EF0F84D81F2F6A9BC6B545B080BF884F5FD,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:17.730{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:17.730{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F00EA615ECA224B70CED0079383D5426,SHA256=76A2E53591F602AA78774005BBA6A00044D64DCE297316FDF1F5F15BE6B38A25falsetrue 23542300x800000000000000021219813Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:18.893{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8359560333088546E149778740067DE,SHA256=14CB2FF784F010BED6ADD845C584A98A8CDBC40D0046FF89C0524E4EE50DCF59,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346335Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.745{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346334Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.745{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1ECEEF68ED061B0E226999AC8BD00,SHA256=911B843B04714F79D99DC96CE56AD2002C37BE7E5FF7844F5E6FDAB7EFDE3106falsetrue 23542300x800000000000000021219812Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:18.143{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F0BD69038D9756F44FAB1732E0AAA99,SHA256=F9A248A48772FBFADF1C2954C376A8C73EA322E7474F588C18094C4B1E7C3551,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057346333Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:18.408{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:18.408{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 11241100x800000000000000057346331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.261{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.261{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67CC9E9E38F938CC5406E7A0BAECADC1,SHA256=E511DA772868F0B2B9DC4D072AF356CEB7B55EC7CA8534142D11F442B3567F34falsetrue 11241100x800000000000000057346329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.261{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:18.261{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0202708DFAF70EAAA75D2EF09DAAA0C7,SHA256=2DC7F644D81C3619AB91B7F027835425DDB241E92D6790858EC8448C78118596falsetrue 23542300x800000000000000021219815Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:19.893{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9335D11E36C695BCB21499213F2A6757,SHA256=1AF4EAFF0509F600603A84D4C3917167C2214F9769E31E4D1D58B2F1A3ED351B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346340Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:19.760{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346339Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:19.760{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D896E163B80AD52F4A01A73DE1C5463A,SHA256=5015B7DC9783142985471F92839094CF62400F8EF605D09C5AFE2BAF17B7D643falsetrue 354300x800000000000000021219814Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:05.565{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64336-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346338Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:19.429{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346337Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:19.429{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67CC9E9E38F938CC5406E7A0BAECADC1,SHA256=E511DA772868F0B2B9DC4D072AF356CEB7B55EC7CA8534142D11F442B3567F34falsetrue 354300x800000000000000057346336Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:49.599{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54560-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219816Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:20.893{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D090784A6E7DB3C9CC36E799F37F6F9D,SHA256=52285C4FEBA81773E1F2E84464325A1D067BF71BA24FEF095CA77230384018F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346344Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:20.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346343Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:20.791{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D6D3C956412B3841EAB556E9D76C086,SHA256=F60A334C216CCED0EEDA0923B07B861DE8535BAA28FFA0EF8971409247CCFC9Afalsetrue 354300x800000000000000057346342Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.761{8B6011A9-886B-6164-0B00-00000000F101}648C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54561-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 354300x800000000000000057346341Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:50.761{8B6011A9-887D-6164-2800-00000000F101}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-469.attackrange.local54561-true0:0:0:0:0:0:0:1win-dc-469.attackrange.local389ldap 11241100x800000000000000057346346Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:21.810{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346345Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:21.809{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DED454F4F4A40CFAA4C95578C489807,SHA256=0CDE840C1CDC62A0F6CD5502EB4BE078F735FDB54B60A1CA384BCE160180F1BEfalsetrue 23542300x800000000000000021219818Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:21.894{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546D0A0DCE96FC6AAF2BDCB56B93EEBD,SHA256=37F9F902D26D65903FA3B4940C0CB12824E25FD11429ABC2519A4D39A7FB4081,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219817Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:21.865{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\respondent-20210916142702-79909MD5=8085950F126672766A1DF0580C539A31,SHA256=836015C54DD1F9176CE157D9E23B9B47C196C9CF50DD587B63CC20EE15FEF46E,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219820Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:22.924{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EB391643ECE096631717B3A8E8781A4,SHA256=299EBF0E55474ADFC6C877C605591C384B51CEB31C73FABAF88F861F87D7955C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346348Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:22.827{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346347Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:22.827{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E8C4BD1B0EB13F27EDEFA6E18576113,SHA256=B635EB7D3F56DFC1CE21AB6B86EDCF2E18EDEC55806C82BB83BFECFBE3AC7A39falsetrue 23542300x800000000000000021219819Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:22.878{AD5E2759-5433-6143-1A00-00000000F101}1972NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-09909a0b10b828df0\channels\health\surveyor-20210916142700-79910MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219821Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:23.927{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCFAB85CA2773B436BF3BDE1FDE40F7,SHA256=81B875FC71C8EB3937F8FEC67652CB137924678D5A7E08F94C9A12DDD4177124,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346352Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:23.842{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346351Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:23.842{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B67936804D39B032838C54BDA3809CF2,SHA256=02854E75F76418843A3CB8EE58262D0228B68CA326899E1D5F62AB4C3F90C50Ffalsetrue 11241100x800000000000000057346350Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:23.642{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346349Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:23.642{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D698070C4014D0F89A8E437C25082813,SHA256=F8F9E96EE3A475C0B41F6D10C672D5AC5FF1BB526D9C118E28641638E0CE1B5Efalsetrue 23542300x800000000000000021219825Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:24.943{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58D3DDD5AE1629FAADE743CDEBE2750B,SHA256=6877791893139449127F250F30798D5569386134DFCA8E732FDCB6F806CBAE73,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346355Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:24.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346354Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:24.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AD110D7B35A04437CE9C32BB8B9DE4,SHA256=C7F4D32F95108CF1AC2E76EA1B8A8F09E5AD3A8D2FBE5289013D7FB143014992falsetrue 354300x800000000000000021219824Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:11.487{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64337-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219823Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:24.083{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56ABDB1DD60DF9562712C66D773EB2DB,SHA256=195F9EBDA46C36F23DD961B8DD4AF79D312A240AB52733C36C013AE1330EB62C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219822Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:24.083{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C579C69EEE72ABB6E3846CFD0FFA95E,SHA256=19373B812373C31762F0A824E6B5B3946F2A50C54516DD1E45AEDD844B84C872,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 354300x800000000000000057346353Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:55.511{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54562-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346357Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:25.887{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346356Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:25.887{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5DFE421608D1FBDA2DB18AA4F4854EF,SHA256=D4818DE593BEAF49C63F25D808F77F2B8C5EFADAD52C48FB7AD35BD62F95D944falsetrue 23542300x800000000000000021219826Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:25.943{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A353D3AB043B70A8B6F5EC5DC91F9E5,SHA256=9E99AE76B21C2F8E79752CAF4ECDB90C8E9AD9B6725F0CA174E6DDC94B027E43,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346359Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:26.905{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346358Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:26.905{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB999ACCE4140459E52C01CACF4AE976,SHA256=9426CD0D5413FB90D418B3F233DFA0057A8D6FB60ECD0A2E9343871535F83CA3falsetrue 23542300x800000000000000021219827Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:26.974{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CC51FC9C82DAE86A29EDE8715EED5C,SHA256=2E6B8D7C30897C7C2BCC728A17E4CCC761DFD70CFE5EE7FA37718E50D61D1DFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219828Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:27.985{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBD8EDD187DA5F7DADFC788A71DE8389,SHA256=61B2AA2E201733EB6DF65B33BDD2AF2B539C15EC2BE9C202007A50B0AC8F51F9,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346361Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:27.923{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346360Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:27.923{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6832C97367B11330E2B20771E55059,SHA256=E97ECDBD22355C5120BA7BE7B643AA6469E04D82D6FF42CEED01B6BEBBEC681Cfalsetrue 11241100x800000000000000057346367Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.969{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346366Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.969{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10921BB53C083678136B791C61A036D1,SHA256=BA22C9DD2208092B7EA626268FAA55747CAA6689AD51D464C1776B6A04CD9A23falsetrue 11241100x800000000000000057346365Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.638{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346364Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.638{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41302CCEC64350E0E90637E600B2B741,SHA256=234B63BB885130F9A1EBAEBEED26C3D350E4206941D658B22B544A034C00B7C4falsetrue 11241100x800000000000000057346363Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.638{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346362Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:28.638{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5F574864086603C1F5006955951E53B,SHA256=725BE2A733A469870BD44F1319D34287182CCFDED1268D5E48F10B4F57AECCE5falsetrue 354300x800000000000000021219832Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:16.518{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64338-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219831Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:29.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2027C511D9051095CDBB3DBE48CED3,SHA256=5390AC695160F01B250F94347D3F61CB1EDE9DE8E3FCDB7F616EA832FF1E304B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219830Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:29.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56ABDB1DD60DF9562712C66D773EB2DB,SHA256=195F9EBDA46C36F23DD961B8DD4AF79D312A240AB52733C36C013AE1330EB62C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219829Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:29.048{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AA5E157E252FD0DD6B73075B3561BC,SHA256=63F101F8583DF472F36883AE3301A52BA56FF01604F7E4DF187890792512DAFC,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219833Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:30.048{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=295A4A1D0BC5171F53237D4C288C4690,SHA256=7890534607D865D26CD0CE368BF1DF6FE2D5401133F7CB56E5C40AA216DF96E3,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 10341000x800000000000000057346387Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+17e8d|C:\Windows\System32\SHELL32.dll+61e00|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346386Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}87364068C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62967|C:\Windows\explorer.exe+3c618|C:\Windows\explorer.exe+3c4a4|C:\Windows\explorer.exe+3c411|C:\Windows\System32\windows.storage.dll+7c2cf|C:\Windows\System32\windows.storage.dll+7b04f|C:\Windows\System32\windows.storage.dll+7dfef|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x800000000000000057346385Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation\LastOrientationDWORD (0x00000000) 12241200x800000000000000057346384Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\AutoRotation 11241100x800000000000000057346383Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat2021-09-16 13:08:16.776 23542300x800000000000000057346382Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.853{8B6011A9-8B2B-618D-C0DA-04000000F101}8736ATTACKRANGE\AdministratorC:\Windows\explorer.exeC:\Users\Administrator\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datMD5=58FDE1A71D2ADB272DABB3A92B406559,SHA256=555933C7D5D49EBF3648EE1EF420E0C71835139B8A8DEF8FBA64C9EBE48B0C32falsetrue 10341000x800000000000000057346381Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.837{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6165f|C:\Windows\System32\SHELL32.dll+62400|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346380Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.837{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c00|C:\Windows\System32\SHELL32.dll+623bc|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346379Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.837{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+618b4|C:\Windows\System32\SHELL32.dll+62390|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346378Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.837{8B6011A9-8B2B-618D-C0DA-04000000F101}87366804C:\Windows\explorer.exe{8B6011A9-C6FA-616E-9C35-01000000F101}4136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x800000000000000057346377Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:01.454{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54563-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346376Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.106{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346375Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.105{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41302CCEC64350E0E90637E600B2B741,SHA256=234B63BB885130F9A1EBAEBEED26C3D350E4206941D658B22B544A034C00B7C4falsetrue 24542400x800000000000000057346374Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe2user: ATTACKRANGE\administrator hostname: C02DN3AYMD6PMD5=E4E8F0758DB1306608839F471EC64A73,SHA256=D47589CC1AAD18F993D7C85C9240F69B95F10BC94AE0407899676220E88338D1true 10341000x800000000000000057346373Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-886D-6164-0C00-00000000F101}8484668C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346372Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-886D-6164-0C00-00000000F101}8484668C:\Windows\system32\svchost.exe{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057346371Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeC:\Sysmon\CLIP-E4E8F0758DB1306608839F471EC64A73D47589CC1AAD18F993D7C85C9240F69B95F10BC94AE0407899676220E88338D12021-11-12 12:18:30.069 10341000x800000000000000057346370Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.069{8B6011A9-887D-6164-2700-00000000F101}28565420C:\Windows\sysmon64.exe{8B6011A9-8897-6164-8000-00000000F101}4756C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|C:\Windows\sysmon64.exe+50e63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x800000000000000057346369Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.022{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346368Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:30.022{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=042167D5D5144BF75D517FC410D5F574,SHA256=275C85DE36539B9CECAB3C22010D6F512BC811E37B3B86AB62E343BCA2358355falsetrue 11241100x800000000000000057346389Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:31.037{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346388Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:31.037{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E763E6F4870C85814E1CC1B6B128F2C9,SHA256=BB0DD5B6AF3CAF917A5E19248CC221DAB731C5FAC6D489B4D670912DFB82DB38falsetrue 13241300x800000000000000021219835Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-SetValue2021-11-12 12:18:31.126{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7d7bf-0x67d2122b) 23542300x800000000000000021219834Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:31.079{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=127FD51762A8ADEAD269BEC19AEAD5EC,SHA256=EAF7C9BEB9A120BD726C09A36A6905067675CD5374C1D62FE8DB58F6271EE528,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057346393Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:32.771{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000580094\VirtualDesktopBinary Data 12241200x800000000000000057346392Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:32.771{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000580094 11241100x800000000000000057346391Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:32.038{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346390Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:32.038{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4608E551BFA2A390847932E0CBDCA50,SHA256=421A61D476ED58DA8E62173877949CB1347D5E1B30BC6AB165430AB6DB37DD32falsetrue 354300x800000000000000021219838Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:19.532{AD5E2759-5433-6143-1300-00000000F101}308C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-874.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x800000000000000021219837Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:32.126{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2027C511D9051095CDBB3DBE48CED3,SHA256=5390AC695160F01B250F94347D3F61CB1EDE9DE8E3FCDB7F616EA832FF1E304B,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219836Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:32.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8EEA07F723F52ACB7778C2A6F9BFDBB,SHA256=85473C6363078E3BED0E27431CB73F697E9B1066C6868A334394A35A78DFD9F0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219839Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:33.095{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D03B28559BD144CCDF4DE78C4536293,SHA256=B7216C92B7A9270CCA938ACE5087FD785638734DFCF9B3540AAF870A9C18FEE6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057346397Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:33.856{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\HRZR_PGYFRFFVBABinary Data 13241300x800000000000000057346396Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:33.856{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count\{1NP14R77-02R7-4R5Q-O744-2RO1NR5198O7}\JvaqbjfCbjreFuryy\i1.0\cbjrefuryy.rkrBinary Data 11241100x800000000000000057346395Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:33.055{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346394Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:33.055{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0875516069AAFCD30157DAC008A3AB1A,SHA256=9BEC675AA3F000257460846304B0175C713BC676BBF19A49F9290E21269FECDCfalsetrue 354300x800000000000000021219842Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:21.533{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64339-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219841Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:34.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8096DD36CAA6D47F5DAAC27D292DD449,SHA256=9159FCCBED65C335D4E7B89E7209C97ED219BA57415B86192EF1CD7BB8D95C9D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219840Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:34.110{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C9D02A50416772589BFBB6BEBA4636,SHA256=63A2A7D848551E3D335D5EF90D4056CDEFA88A3B3621550AB5EECCE1E264E812,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346592Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.971{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346591Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.971{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=42A7D6B552F0C920A80B9EE19EFACFBA,SHA256=24B3AF4321027EAA2D6C7F16EC9407C82F6CF77F044BFC2E755FE13B69A1FD7Cfalsetrue 11241100x800000000000000057346590Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346589Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.856{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5798E46FD34DC68C3755005DFA45093F,SHA256=288748F3B7C43A21CCCEF0E8D8D4DF54E301FD88B6484D4868B277914B4A3EF0falsetrue 11241100x800000000000000057346588Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.807{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346587Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.806{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4ADF3E09CC2F6FDB0D33FD46327B32B,SHA256=7F17479CA76AC543EE2FD18B8A14656A46251AAC6FCD48159B8D6062506446C4falsetrue 12241200x800000000000000057346586Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346585Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346584Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346583Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346582Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346581Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346580Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346579Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346578Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346577Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346576Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346575Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346574Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346573Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346572Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057346571Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0trueMicrosoft WindowsValid 12241200x800000000000000057346570Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346569Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346568Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346567Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346566Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346565Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346564Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346563Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346562Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 534500x800000000000000057346561Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.540{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exe 12241200x800000000000000057346560Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346559Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.540{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346558Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346557Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346556Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346555Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346554Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346553Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346552Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346551Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057346550Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 12241200x800000000000000057346549Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346548Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346547Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346546Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346545Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346544Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346543Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346542Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346541Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346540Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346539Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346538Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346537Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346536Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346535Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346534Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x800000000000000057346533Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346532Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346531Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346530Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346529Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 12241200x800000000000000057346528Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346527Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 734700x800000000000000057346526Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x800000000000000057346525Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346524Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346523Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346522Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346521Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346520Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346519Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346518Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346517Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346516Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346515Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346514Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 12241200x800000000000000057346513Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346512Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346511Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346510Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346509Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346508Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346507Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346506Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057346505Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88AtrueMicrosoft WindowsValid 12241200x800000000000000057346504Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346503Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 12241200x800000000000000057346502Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346501Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057346500Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346499Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346498Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346497Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346496Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346495Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346494Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346493Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346492Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 12241200x800000000000000057346491Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.524{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057346490Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346489Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.524{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346488Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057346487Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.509{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346486Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.509{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346485Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057346484Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-888A-6164-7000-00000000F101}34483736C:\Windows\system32\csrss.exe{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346483Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.509{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057346482Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.483{8B6011A9-5B9A-618E-4EF3-04000000F101}9320C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x800000000000000057346481Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:34.471{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x800000000000000057346480Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346479Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346478Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 17141700x800000000000000057346477Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:34.471{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x800000000000000057346476Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346475Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346474Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346473Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346472Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346471Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346470Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346469Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346468Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346467Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346466Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346465Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057346464Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 12241200x800000000000000057346463Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346462Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346461Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346460Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346459Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346458Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346457Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346456Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 534500x800000000000000057346455Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXE 12241200x800000000000000057346454Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057346453Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871trueMicrosoft WindowsValid 734700x800000000000000057346452Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3trueMicrosoft WindowsValid 12241200x800000000000000057346451Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346450Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346449Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057346448Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057346447Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 12241200x800000000000000057346446Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346445Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 12241200x800000000000000057346444Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346443Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346442Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346441Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346440Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346439Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346438Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346437Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346436Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346435Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346434Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346433Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346432Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346431Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.471{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBBtrueMicrosoft WindowsValid 12241200x800000000000000057346430Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346429Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057346428Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exeMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1trueMicrosoft WindowsValid 12241200x800000000000000057346427Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346426Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346425Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346424Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346423Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346422Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346421Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346420Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346419Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.471{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346418Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346417Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346416Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346415Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057346414Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346413Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346412Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057346411Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.456{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346410Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 12241200x800000000000000057346409Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:34.456{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 10341000x800000000000000057346408Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346407Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.456{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057346406Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.422{8B6011A9-5B9A-618E-4DF3-04000000F101}9432C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x800000000000000057346405Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:34.409{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x800000000000000057346404Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:34.409{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x800000000000000057346403Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.187{8B6011A9-E4CD-6172-AAB2-01000000F101}9240ATTACKRANGE\AdministratorC:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\9240.xml~RFa3622142.TMPMD5=456D225B4D65C9CF435A86E0A35A2EE3,SHA256=98A44CE309D109FBE724C41274306C85F0B69B2A3FB9CA4D460D015BE0E930C7falsetrue 11241100x800000000000000057346402Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.187{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\9240.xml~RFa3622142.TMP2021-11-12 12:18:34.187 254200x800000000000000057346401Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.187{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1kygeb2x.tmp2021-10-22 16:22:32.4192021-11-12 12:18:34.187 11241100x800000000000000057346400Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.187{8B6011A9-E4CD-6172-AAB2-01000000F101}9240C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell_ISE.exeC:\Users\Administrator\AppData\Local\Microsoft_Corporation\PowerShell_ISE.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\1kygeb2x.tmp2021-11-12 12:18:34.187 11241100x800000000000000057346399Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.056{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346398Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:34.056{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=460AC18AB1DC0662AF65A3E08A526F88,SHA256=6FAEA235B896BD5FA57A975D0ABDFB10CF52A8821A8489086DDAD0D9AA6A4B8Dfalsetrue 23542300x800000000000000021219843Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:35.110{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0261BE20106FC46CBF7C9A608F842924,SHA256=A9C4FDFA7F0440FEEC661C351835895D83E58AD8C30D5AA719ECEA0553C8B9D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 13241300x800000000000000057346613Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:35.955{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000590094\VirtualDesktopBinary Data 12241200x800000000000000057346612Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:35.955{8B6011A9-8B2B-618D-C0DA-04000000F101}8736C:\Windows\explorer.exeHKU\S-1-5-21-3946589728-3102711660-3528854901-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\2\ApplicationViewManagement\W32:0000000000590094 354300x800000000000000057346611Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:06.478{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54564-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346610Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346609Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.371{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6236918FC7D559EDD76104E059E2085C,SHA256=2681CDC9524395948C826A4A0158E6AA1711E57955D27B3BC38DE8366E7FDBF0falsetrue 11241100x800000000000000057346608Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.324{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346607Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.324{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4D346866E246791959EB987338251EF8,SHA256=AA553B9E33B928D8F622BE4E8AA8DF45F6348216BAE26B96FB1617B5361BE9E7falsetrue 11241100x800000000000000057346606Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346605Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C0EF555A8B52F5C86B2884739724F86,SHA256=F4E1055997CCE3D2399E217ADBE2B04E7B89743432AA5C1636C128267B0A0275falsetrue 11241100x800000000000000057346604Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346603Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.155{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0B8BE509B6991363EF11C0102091CDB,SHA256=F6876D32AE20D17F301BE49111BE112705AC3CC4DF14C96B23E9238085E090EDfalsetrue 11241100x800000000000000057346602Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346601Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E2EA7FB02FB344F80611DCD00BE06144,SHA256=5A8040F895B7745EE1AB20A5813EDB54DFCEBA22464B77D4036FB454FC2B21FFfalsetrue 11241100x800000000000000057346600Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346599Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E4F5EF89255C6CF334EC42943DF50F,SHA256=0EB6A6226224DE4344BABDDCADF5398FDAAC4B2541488BFDB565A35E3A15FBD6falsetrue 11241100x800000000000000057346598Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346597Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.109{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=93646E533AFA64650E383D0D92018961,SHA256=EA30E3AB8B9ACD5571A3F46D20739421A23F06309957B2ED29621EE776C44927falsetrue 11241100x800000000000000057346596Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.056{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346595Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.056{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7DA091F392C205FC55F2C6C5CC937A89,SHA256=5193B3B1F762EA925FE642A69B51CDA0579AF1F67B9F728EBB3851DC1801A729falsetrue 11241100x800000000000000057346594Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.008{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346593Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:35.007{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A951BEA0E057750FF3CF5358E443EBBA,SHA256=E3B50344999CE810E6A865EC683A9662C7AEB4DB9A5C3EBEA2B161F38133ADDFfalsetrue 23542300x800000000000000021219844Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:36.110{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C019A39EBA0DDC84A674ED0594FE63F,SHA256=91E05C684E2DBA167767D251995C7D5D9506FD055296A6CBC94A6DD2BDFBAE82,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346637Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.723{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346636Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.723{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B88C0E045870D855498F17AC69F8B8A0,SHA256=1ABB4A7C555B79BB4BFE5E8EFDEC3DA156618A21523A9D76FCB262F3E7180D04falsetrue 11241100x800000000000000057346635Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.623{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346634Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.623{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=75CA245302813247F20613541E0D33F1,SHA256=4461DFE55817323CA1C7EE42B19541AA31E9DEC782B75EEBF2FDF0D6E7A9BAE2falsetrue 11241100x800000000000000057346633Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.523{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346632Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.523{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6867591E922C8BC5E45618B28B191BC,SHA256=29B571DF7923135F4693405DBF0938AE70FA780C72C49830F69D91430983EA9Afalsetrue 11241100x800000000000000057346631Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.470{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346630Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.470{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0D39164C130DF007F7913F7EFA55FA23,SHA256=C16E5814385C5E93B491CD6B9567BE117C03EB5B1009825E8923637122F3E1FBfalsetrue 11241100x800000000000000057346629Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.423{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xml2021-09-16 14:17:08.076 23542300x800000000000000057346628Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.423{8B6011A9-BB8A-618B-4CA0-04000000F101}7452NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=191BF671B22BB6D0D8098F4764225CD4,SHA256=587F0439BC6F77A0432866DC98383BB4980C713A6CBE1D9A500FD8BFA4A6C98Dfalsetrue 11241100x800000000000000057346627Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.355{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346626Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.355{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6B364673DEA29E629FA5CBE6913161A7,SHA256=DE2C19E505E42964F7611439B4BC8C195CB5F4CFDB5ABA763A4C91BBA26C686Cfalsetrue 11241100x800000000000000057346625Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346624Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.270{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=53CA5C14C55A68292F1FB15DC4C028A4,SHA256=2977527F8D66FF447C4847BFB0A77EFE9E636FCDF72087D8F2F88D5BD93BCD1Dfalsetrue 11241100x800000000000000057346623Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.204{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346622Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.203{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A3F896C5B5438CFBFCCCF11DB4D002BC,SHA256=4660738E23F9EDA6A3CBF27F0E04EF696A492C16D56F3ADE327FDA021C13FB61falsetrue 11241100x800000000000000057346621Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.124{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346620Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.124{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79485753DF10CD36F2885252136137EC,SHA256=3305922143E77727F5A4548057DF638C4292A2B9EBEBA2764BA9EBA6EB815777falsetrue 11241100x800000000000000057346619Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.105{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346618Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.104{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FD8F7E7495C764CA46E3FB93E8F97423,SHA256=584F6E55F409C348285A94E12CC3EACF05AC64FCFF6B74DB4BAFB9B559B2440Cfalsetrue 11241100x800000000000000057346617Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.039{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346616Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.039{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=3490D7B3E09C87253511BDF39C983593,SHA256=A66FBA4057408E2EA45502BC9CE14155962176F1582B0DC5A7248A4436A6BD34falsetrue 11241100x800000000000000057346615Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.004{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346614Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:36.003{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9EA1B46DB4415ECB314DBE6698E96907,SHA256=A922BF4D8B6AFA4521DC2D1F2321BCF504C6F77B8975BB0F672A860608755B02falsetrue 354300x800000000000000057346644Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:08.758{8B6011A9-BB8A-618B-4CA0-04000000F101}7452C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54565-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8089- 11241100x800000000000000057346643Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.423{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346642Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.423{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C0EF555A8B52F5C86B2884739724F86,SHA256=F4E1055997CCE3D2399E217ADBE2B04E7B89743432AA5C1636C128267B0A0275falsetrue 11241100x800000000000000057346641Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.385{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346640Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.385{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0B972E2CE7469549A134EB3400A5814A,SHA256=956FCC959CAEFF5837F2A29020C1352E37D48E2DDD7C46F0FFB333E35366C39Bfalsetrue 11241100x800000000000000057346639Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.138{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346638Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:37.138{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF52931C754E96C03853F2FF8FDE1F3D,SHA256=5A9B4A859FDC262FED1BF79A388D63FD2372840B8B1BF776389A246ACA3CAE58falsetrue 23542300x800000000000000021219845Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:37.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CF14AC529749B48DE12D0293E7A8F5,SHA256=A11E450DE31257DEF38363C05204F32CBD8DB999D8F46558D4324CB6B7C6FB8C,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346646Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:38.153{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346645Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:38.153{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58C019F61F3EA7FC9CFE9F189256880,SHA256=4B308E4E606229A8C162D2209AF88E54DC5D72B5F84FDA02DC4C48616EE534D8falsetrue 23542300x800000000000000021219846Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:38.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEBCC706FAA6496EA7772C840044EA9A,SHA256=624531E72D33BFDD4F58E5E655943AB705E717796FF9DA8C285DEA43BED3C510,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346648Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:39.168{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346647Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:39.168{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F1D6D416A48CF4A35E49DA2CB9A3A5,SHA256=4FFDD82A7779132A0D2A57619526EF38441A149B0EA0896F16D2C3D161FE5FF1falsetrue 23542300x800000000000000021219847Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:39.142{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C903EA2BAF42B18A99DC50D7C7D66DF,SHA256=D9E33179F84CBFF18E9E6AD4F47413B055BE8BCFCB47C29E861FB7D18DD55E83,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346650Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:40.182{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346649Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:40.182{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57AA7DED17A36BB8F772ADE4BACF2F2,SHA256=EF4E7551B8604E2F836D185A6C5111A4BFA4D386B3AE67EE9F9DA7DB807C3EDCfalsetrue 354300x800000000000000021219851Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:19:27.440{AD5E2759-54CF-6143-D400-00000000F101}3540C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-874.attackrange.local64340-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 23542300x800000000000000021219850Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:40.157{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD2E2C1DB1F3ABF7B6EB2F0DDC8C14E,SHA256=B225762BBB7CBE027FCDA759F569BE9F7BF2194BA02B0A362378DEBE071BAD74,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219849Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:40.032{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=18437A320CFC143C3E57B996A8D1A821,SHA256=37B2204BEDD26F216ACFADDAF9C71B211A93D00A17AF80B2EC355CE17E66EB56,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 23542300x800000000000000021219848Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:40.032{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7236881305D927BA9C7B01173DAA322C,SHA256=81AEE691D9CEE8B1C5A6EFAFA8873841A895585245C1345E1A780A3F4311D6D6,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 18141800x800000000000000057346657Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:41.965{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x800000000000000057346656Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:41.965{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x800000000000000057346655Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:19:12.451{8B6011A9-BB96-618B-7AA0-04000000F101}7856C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-469.attackrange.local54566-false10.0.1.12ip-10-0-1-12.us-west-2.compute.internal8000- 11241100x800000000000000057346654Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.201{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346653Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.200{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A89ABE705886E23C39C55F7B89CEDAF2,SHA256=AAE2B24ED366F415EAA0C65B27277441F4F2A07F80FBD4656C5B7550D7627A0Dfalsetrue 23542300x800000000000000021219852Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:41.189{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8F1A9B5B5A9FAD469402F88AEFCCCE,SHA256=66A6087D1DD05E16F972C60263785E0B4942549C6DA3FC75BC8189BAFA1B9A4D,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 11241100x800000000000000057346652Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.119{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Security2021-09-16 14:18:46.122 23542300x800000000000000057346651Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.119{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=150EEECF7C664DE5FB1AE0C32300918A,SHA256=95D6F1E3E15EE24A20C7AB75779968FB567561A8BB9288D62FBBB2ECB28C8F9Efalsetrue 23542300x800000000000000021219853Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:42.189{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0D3990DE55C22B6EFE538D87604EFB2,SHA256=9A5C397AC8545C92272AB1BCF3C187C1418509C96E407682975C69007D0C5525,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 12241200x800000000000000057346935Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.936{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 11241100x800000000000000057346934Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.833{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346933Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.833{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A7AF8749C795E426B01B3CAA85AA3F9A,SHA256=8C1F5EDA3E301E2FC2AFE6B8B53C65C1062005E860AC3735CF6AF20F5EC5FC8Bfalsetrue 12241200x800000000000000057346932Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.798{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346931Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.798{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346930Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346929Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346928Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346927Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346926Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346925Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346924Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346923Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346922Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346921Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346920Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346919Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346918Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346917Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346916Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346915Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346914Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346913Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346912Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346911Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346910Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.797{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346909Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.699{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationucrtbase_clr0400.dllMD5=F8F171BE1820544E15B555847005355C,SHA256=CDDF9A2BF085AE59BA464B3BA6394AACFC342DA5F17D77FD5306054C8AABF153trueMicrosoft CorporationValid 12241200x800000000000000057346908Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346907Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346906Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346905Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346904Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346903Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346902Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346901Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346900Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346899Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346898Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346897Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346896Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346895Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346894Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346893Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346892Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346891Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346890Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346889Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 734700x800000000000000057346888Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.680{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\vcruntime140_clr0400.dll14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140_clr0400.dllMD5=63936588122BDEE9624D02CE3F8F54EA,SHA256=21F7E6165CE8DD92DB8CDF48CEE83DE64B2B0807B7B499CF87678B70C6F8C32FtrueMicrosoft CorporationValid 12241200x800000000000000057346887Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346886Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346885Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346884Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346883Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346882Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346881Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346880Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346879Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346878Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346877Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346876Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346875Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346874Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346873Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346872Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346871Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346870Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346869Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346868Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346867Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057346866Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.680{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll4.8.4410.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationclr.dllMD5=1AF77AF533C702978D4C91C31DB1CCE5,SHA256=39AB2B2B034E3210D866FCF8649EB84C28E3DAB7CB7FA7C986346C6A9ED22D0AtrueMicrosoft CorporationValid 12241200x800000000000000057346865Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346864Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346863Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346862Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346861Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346860Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346859Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.780{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346858Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.701{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=1AF6CD8B7CE4A852F67AA98C71AA1D26,SHA256=EF0DE008500A8C9C7908383AF11AE55845EBBE28C96C013EA720950BA89D3D28trueMicrosoft WindowsValid 12241200x800000000000000057346857Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.680{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 13241300x800000000000000057346856Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-SetValue2021-11-12 12:18:42.680{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll\\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQWORD (0x01d7d7bf-0x6eb50ae2) 12241200x800000000000000057346855Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.680{8B6011A9-884A-6164-0100-00000000F101}4SystemHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework64/v4.0.30319/clr.dll 11241100x800000000000000057346854Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346853Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.633{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DEE09A6F139572D78F557EB5898603,SHA256=A2AE86C4DB2A8AD2A54A16BAC2155643DD1DB97817B18FA5BA8D9075948DE49Cfalsetrue 11241100x800000000000000057346852Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 11241100x800000000000000057346851Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_Operational2021-09-16 14:18:25.134 23542300x800000000000000057346850Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4B776FC29A7FBE37C05AEDC993745685,SHA256=7E51B6A575701B0A4C33D9856F10A4F59062A6AB77DADC10F4EAD0BEBCC088FEfalsetrue 23542300x800000000000000057346849Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=640199E4EA7FEEEAD308A00BC19731BF,SHA256=38A589170D1DF4CA14EB904FB7C8C6D8F19DA2C21CE3121C3D9D2BB1062DE4E5falsetrue 11241100x800000000000000057346848Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346847Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.580{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=341560F0E44EAF94838E1737A4E272F1,SHA256=562C5FEAD6E1391EF29093FAAED2061857A29890D5F371007E7FE99813DF02B6falsetrue 12241200x800000000000000057346846Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346845Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346844Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346843Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346842Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346841Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346840Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346839Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346838Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346837Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346836Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346835Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346834Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346833Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346832Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.533{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=899A8B655E52A061B33571D97C5C06ED,SHA256=DE05B03E37FB9BA5D74CF8FA36A6F0B15AB61705285B738BC90D14FDE580A45EtrueMicrosoft CorporationValid 12241200x800000000000000057346831Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346830Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346829Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346828Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346827Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346826Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346825Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346824Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346823Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.549{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346822Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.549{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057346821Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.549{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659CtrueMicrosoft WindowsValid 734700x800000000000000057346820Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.533{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 12241200x800000000000000057346819Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346818Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346817Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346816Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346815Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346814Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346813Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346812Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346811Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346810Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346809Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346808Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346807Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346806Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346805Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346804Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346803Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 734700x800000000000000057346802Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=5ECE402D7E12EC3750D044BF3D878DF6,SHA256=3F02B1AE7B61BC36B04EA2B82ED79F112219F4E9668518030FF14B005E2C9BBCtrueMicrosoft WindowsValid 12241200x800000000000000057346801Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346800Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346799Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346798Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346797Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346796Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346795Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346794Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.533{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346793Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346792Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346791Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 12241200x800000000000000057346790Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346789Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346788Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346787Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346786Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346785Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346784Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346783Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346782Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346781Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346780Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346779Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057346778Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\atl.dll3.05.2284ATL Module for Windows XP (Unicode)Microsoft (R) Visual C++Microsoft CorporationATL.DLLMD5=C1B73181019C1E1F28F4161B5F198B7F,SHA256=C3678504437D23910C18D3680B05B4E819A2229BDD0E1E0567186C70D814560DtrueMicrosoft WindowsValid 12241200x800000000000000057346777Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346776Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346775Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346774Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346773Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346772Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346771Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346770Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346769Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346768Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346767Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346766Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346765Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346764Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346763Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057346762Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057346761Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057346760Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346759Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057346758Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346757Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346756Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346755Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346754Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346753Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346752Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346751Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346750Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346749Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436trueMicrosoft WindowsValid 12241200x800000000000000057346748Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346747Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346746Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346745Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346744Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057346743Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057346742Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057346741Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057346740Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.517{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057346739Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5trueMicrosoft WindowsValid 734700x800000000000000057346738Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75EtrueMicrosoft WindowsValid 734700x800000000000000057346737Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346736Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346735Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.517{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346734Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346733Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 12241200x800000000000000057346732Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.502{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346731Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346730Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346729Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ole32.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=676B0A1FB2A01D19AECB1F19883B6FC4,SHA256=56DEB219840DBAF9DAF645AD5D79AF9AB05F20E688382854DD487F440B257552trueMicrosoft WindowsValid 734700x800000000000000057346728Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346727Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346726Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346725Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346724Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x800000000000000057346723Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8cd5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c3b1e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01f5|UNKNOWN(00007FFCBCEFB383) 734700x800000000000000057346722Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346721Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 12241200x800000000000000057346720Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.502{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057346719Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.502{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057346718Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.502{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 10341000x800000000000000057346717Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.480{8B6011A9-888A-6164-7000-00000000F101}34483444C:\Windows\system32\csrss.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346716Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.480{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\9acccfc2a758c682d6a8c44451f5ccfd\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257223a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25720a1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25fb1d2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+256a327(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303aba9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|UNKNOWN(00007FFCBCFB2BBE) 154100x800000000000000057346715Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.439{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1220\src\msxslxmlfile.xml) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\2\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 11241100x800000000000000057346714Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.149{8B6011A9-BB9D-618B-83A0-04000000F101}5620C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_Operational2021-09-16 14:17:52.179 23542300x800000000000000057346713Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.149{8B6011A9-BB9D-618B-83A0-04000000F101}5620NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=67716390A61B3047A8918A259BCE8906,SHA256=7246F6ADC8DD6466D950A42A63C5F8913A44B64A7EFBD65729D0A387DCCFE1A8falsetrue 534500x800000000000000057346712Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.118{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exe 734700x800000000000000057346711Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002AtrueMicrosoft WindowsValid 734700x800000000000000057346710Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74trueMicrosoft WindowsValid 734700x800000000000000057346709Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\wkscli.dll10.0.14393.0 (rs1_release.160715-1616)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3DCBAE237E4E1F0EBE8E7DC053F778C4,SHA256=C3331CCBE71CC98A5F1BC013F1C0218FE194CA7B497DDF706BF9025AB5A7B330trueMicrosoft WindowsValid 734700x800000000000000057346708Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923trueMicrosoft WindowsValid 734700x800000000000000057346707Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\authz.dll10.0.14393.1737 (rs1_release_inmarket.170914-1249)Authorization FrameworkMicrosoft® Windows® Operating SystemMicrosoft Corporationauthz.dllMD5=6BAADF6A3E985DE5AB6FDA778E18F1A5,SHA256=8FD060B0F29A1FB23C3D1F389C22EC067247F1E457F331D2B15AE44323ECB8D0trueMicrosoft WindowsValid 734700x800000000000000057346706Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\sspicli.dll10.0.14393.2580 (rs1_release_inmarket.181009-1745)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=5061339CE61C0B32DB8F51A95E3B2422,SHA256=60558CA374334D4C6BBAD475921538C14A9FF3422893348A0503C1F33015FD25trueMicrosoft WindowsValid 734700x800000000000000057346705Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5trueMicrosoft WindowsValid 734700x800000000000000057346704Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=8AAF6E1B14B9210052FFF90E25926D63,SHA256=F2120C8E63EA94F8618B31319A534731C16D8FDD58B0E1E70217D72A39D78353trueMicrosoft WindowsValid 734700x800000000000000057346703Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3trueMicrosoft WindowsValid 734700x800000000000000057346702Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\combase.dll10.0.14393.4583 (rs1_release.210730-1850)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=878EBD02A580FDF8F187100127E6D3A8,SHA256=54E4BADDFBD97CFFF871B6D7316B28872218B92F37C41199F71EB37BC5634216trueMicrosoft WindowsValid 734700x800000000000000057346701Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\shlwapi.dll10.0.14393.4169 (rs1_release.210107-1130)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=F9E249B6BB80C06BA30A61854567796C,SHA256=E5F62CD5D2FE7BE8D4E029ECA004A8773FF8D1F7AB92C115810AD54B5B8F50CAtrueMicrosoft WindowsValid 734700x800000000000000057346700Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346699Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32full.dll10.0.14393.4530 (rs1_release.210705-0736)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=9D82D7DBC3D9E0D8E86D10A5B1BF736E,SHA256=270CA1A42ECB4C22E826C1C95924F0014CC99254AB55B7167DA144D45E238E6DtrueMicrosoft WindowsValid 734700x800000000000000057346698Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8trueMicrosoft WindowsValid 734700x800000000000000057346697Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15trueMicrosoft WindowsValid 734700x800000000000000057346696Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3trueMicrosoft WindowsValid 734700x800000000000000057346695Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346694Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346693Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 734700x800000000000000057346692Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\advapi32.dll10.0.14393.4467 (rs1_release.210604-1844)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=A8CDCAC5C32D14ED8AADDF5489FC5D55,SHA256=140F07A8F6780DAFE20CC4FBE86C9332FB2F0C26ED8F49914BD05265C63EF6F1trueMicrosoft WindowsValid 10341000x800000000000000057346691Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.102{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346690Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.101{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346689Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.101{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346688Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.100{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346687Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.100{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exeC:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exeMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88AtrueMicrosoft WindowsValid 10341000x800000000000000057346686Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.099{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346685Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.098{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057346684Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.065{8B6011A9-5BA2-618E-50F3-04000000F101}6824C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 18141800x800000000000000057346683Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-ConnectPipe2021-11-12 12:18:42.049{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x800000000000000057346682Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:42.049{8B6011A9-C6FA-616E-9B35-01000000F101}300<Anonymous Pipe>C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 534500x800000000000000057346681Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXE 12241200x800000000000000057346680Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057346679Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nlaapi.dll10.0.14393.3808 (rs1_release.200707-2105)Network Location Awareness 2Microsoft® Windows® Operating SystemMicrosoft Corporationnlaapi.dllMD5=63EB5F68082B8C8C392E5DAC1D4EC678,SHA256=58EC364601FA6FE26525D8ADB44B7EDEFCFB73E72897C77B6E37F73E1C7BF871trueMicrosoft WindowsValid 734700x800000000000000057346678Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\winrnr.dll10.0.14393.0 (rs1_release.160715-1616)LDAP RnR Provider DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationwinrnrMD5=B0DE13ABF238AB28E963629B977A012F,SHA256=43288C8A658C2F0CB0CB1C9D874506D6CEEF455AAB68CE2EF0D685DE8E3BA0C3trueMicrosoft WindowsValid 12241200x800000000000000057346677Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346676Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 12241200x800000000000000057346675Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXEHKLM\System\CurrentControlSet\Services\Tcpip\Parameters 734700x800000000000000057346674Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728BtrueMicrosoft WindowsValid 734700x800000000000000057346673Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27trueMicrosoft WindowsValid 734700x800000000000000057346672Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9trueMicrosoft WindowsValid 734700x800000000000000057346671Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\NapiNSP.dll10.0.14393.0 (rs1_release.160715-1616)E-mail Naming Shim ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationnapinsp.dllMD5=71514D9A6350A37B4F0BAA6ACB751771,SHA256=5DB99D6784900D85BB4A62E9F40B4EC628054D41B38A5E93F80C7A8BB066EBBBtrueMicrosoft WindowsValid 734700x800000000000000057346670Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202trueMicrosoft WindowsValid 734700x800000000000000057346669Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.049{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\rpcrt4.dll10.0.14393.4467 (rs1_release.210604-1844)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=B0C4BF9491FB453B77399E3C56C11DC8,SHA256=66D5D1B3D25D15EA8737C8B2EF83E770BA10931868F24DCACC50936F0A0BAC08trueMicrosoft WindowsValid 734700x800000000000000057346668Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\sechost.dll10.0.14393.3808 (rs1_release.200707-2105)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=E6B98644CD3B912C44C39CC0996790A9,SHA256=23BE56E1B8DBA449C0959753175BD15457EC88E93E9E8B86489266347959A6F2trueMicrosoft WindowsValid 734700x800000000000000057346667Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 734700x800000000000000057346666Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4trueMicrosoft WindowsValid 10341000x800000000000000057346665Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-C6FA-616E-9C35-01000000F101}41365516C:\Windows\system32\conhost.exe{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x800000000000000057346664Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\KernelBase.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=0F627827D9CFFA8E0BCF30F013FB7209,SHA256=EA47C3E471801ACA92EE449C66CF785EA670ADE92A5A2D5CDB81C93DD72ABEF0trueMicrosoft WindowsValid 734700x800000000000000057346663Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\kernel32.dll10.0.14393.4350 (rs1_release.210407-2154)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=A5AD62615D2361BFAEC6C047B199184C,SHA256=B43F3DFDAF7BAA7A2B97015631F96CE429C50348D380080CFC29C36F959D7886trueMicrosoft WindowsValid 734700x800000000000000057346662Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\ntdll.dll10.0.14393.4530 (rs1_release.210705-0736)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=36B87C41EE39F3051D116F735EBEF866,SHA256=9C45BAE6D7E27B3AE04BBF88B96686C04ED6A43695558E82B687013BA0383F8AtrueMicrosoft WindowsValid 734700x800000000000000057346661Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXEC:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exeMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1trueMicrosoft WindowsValid 10341000x800000000000000057346660Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-888A-6164-7000-00000000F101}34483876C:\Windows\system32\csrss.exe{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x800000000000000057346659Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:42.033{8B6011A9-C6FA-616E-9B35-01000000F101}3006716C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+30ef8c9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2593341(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2575350(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+25751e1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2565f01(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2573443(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572fb5(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+2572d22(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+257295d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+303ac8b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+252f8cf(wow64) 154100x800000000000000057346658Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:41.977{8B6011A9-5BA1-618E-4FF3-04000000F101}7628C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{8B6011A9-8897-6164-CBF3-050000000000}0x5f3cb2HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1{8B6011A9-C6FA-616E-9B35-01000000F101}300C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x800000000000000021219854Microsoft-Windows-Sysmon/Operationalwin-host-874.attackrange.local-2021-11-12 12:18:43.236{AD5E2759-54D4-6143-DD00-00000000F101}1092NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A4C6526296761315C830779D16330C,SHA256=F6BE2B584CAD6E234AA512474C8227718CE5977B9C3939F2744B7382B804B2C0,IMPHASH=00000000000000000000000000000000falsefalse - insufficient disk space 734700x800000000000000057347332Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.997{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0trueMicrosoft WindowsValid 12241200x800000000000000057347331Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.997{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347330Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.997{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347329Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347328Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347327Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347326Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347325Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347324Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347323Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347322Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347321Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.996{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347320Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347319Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347318Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347317Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347316Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347315Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.838{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\AppxSip.dll10.0.14393.4169 (rs1_release.210107-1130)Appx Subject Interface PackageMicrosoft® Windows® Operating SystemMicrosoft CorporationAppxSip.dllMD5=33AEB645167296EFE22E1BB64B63CBFC,SHA256=6E2B948F3CD7EEC6D9A9A864476F074FB5876E397916FF81A39B23976489AB52trueMicrosoft WindowsValid 12241200x800000000000000057347314Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347313Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347312Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347311Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347310Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347309Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347308Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347307Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347306Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.995{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347305Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.993{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347304Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.990{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347303Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.990{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347302Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.836{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Dired13b18a9#\85691b702c65c1297dd5294e1969beb4\System.DirectoryServices.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.DirectoryServices.dllMD5=05D15B1B56CA953CA35E6738883CB557,SHA256=68DA3DBA92F2FFE1AAD95B46E65186EE16FC700AF01738E838732EF0B94F1A98false-Unavailable 17141700x800000000000000057347301Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreatePipe2021-11-12 12:18:43.980{8B6011A9-5BA2-618E-51F3-04000000F101}7356\PSHost.132811931224397609.7356.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 12241200x800000000000000057347300Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347299Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.973{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347298Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347297Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347296Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347295Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347294Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347293Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347292Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347291Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.972{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347290Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347289Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347288Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347287Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 734700x800000000000000057347286Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.824{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\wshext.dll5.812.10240.16384Microsoft ® Shell Extension for Windows Script HostMicrosoft ® Windows Script HostMicrosoft Corporationwshext.dllMD5=BA425FEBA35E20778ADB8FAF7268D8A0,SHA256=3A2F8057B4312BE9389CB86C8C3FA8BA3A590E3CE811AB163D77159DB095AA41trueMicrosoft WindowsValid 12241200x800000000000000057347285Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347284Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347283Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347282Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347281Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347280Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347279Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347278Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347277Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347276Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347275Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.971{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347274Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.968{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347273Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.964{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347272Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.964{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 734700x800000000000000057347271Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.822{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\System.Management\d0fbbab68671be0c0f3a6297e7ca803d\System.Management.ni.dll4.8.3761.0 built by: NET48REL1.NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=DBB27AB7CAB61053088108EADD3FF3A1,SHA256=703DD09A5B05E85DAC24B667BC3245FBD5E5656E5310E2C12D07854509D5B197false-Unavailable 12241200x800000000000000057347270Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.947{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347269Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.946{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347268Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347267Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CRLs 12241200x800000000000000057347266Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\Certificates 12241200x800000000000000057347265Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347264Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed 12241200x800000000000000057347263Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347262Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347261Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347260Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347259Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347258Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347257Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347256Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 734700x800000000000000057347255Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-2021-11-12 12:18:43.809{8B6011A9-5BA2-618E-51F3-04000000F101}7356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\msisip.dll5.0.14393.4530 (rs1_release.210705-0736)MSI Signature SIP ProviderWindows Installer - UnicodeMicrosoft CorporationMSISIP.DLLMD5=A579FD92E60D1CE05E20BF7569D579E8,SHA256=CD9DF3851153E3770E343CE224E6F969B9C5A466BF8C1036242DCBB5CE0F7986trueMicrosoft WindowsValid 12241200x800000000000000057347254Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347253Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347252Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347251Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347250Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347249Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs 12241200x800000000000000057347248Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs 12241200x800000000000000057347247Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates 12241200x800000000000000057347246Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347245Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.945{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed 12241200x800000000000000057347244Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.943{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347243Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.930{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347242Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.930{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing 12241200x800000000000000057347241Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}2856C:\Windows\sysmon64.exeHKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Disallowed\CTLs 12241200x800000000000000057347240Microsoft-Windows-Sysmon/Operationalwin-dc-469.attackrange.local-CreateKey2021-11-12 12:18:43.929{8B6011A9-887D-6164-2700-00000000F101}